CVE-2026-34073

Published: April 1, 2026Last modified: April 3, 2026

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	py3-cryptography	Not affected (38.0.3-r1)
	25 LTS	py3-cryptography	Vulnerable (44.0.3-r0)
	Stream	py3-cryptography	Vulnerable (39.0.2-r0)

References

https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43

How to Fix Liberica NIK Not Starting on macOS Catalina and Later

If you use macOS Catalina and later you may encounter the issue that prevents Liberica NIK from starting. To fix it, run the following:

sudo xattr -r -d com.apple.quarantine path/to/graalvm/folder/

If you need more help, check out the FAQ at the bottom of this page or contact us.