Update PyOpenSSL to 25.3.0 and pin python-cryptography to 46.0.7
What does this MR do?
Update PyOpenSSL to 25.3.0 to ensure python-cryptography at least 46.0.5.
Addresses CVE-2026-26007 raised in customer request. The vulnerability is in python-cryptography and fixed in at least 46.0.5. A newer version of PyOpenSSL was required to support the updated cryptography library; the Changelog says v25.3.0 supports up to cryptography v46. However, cryptography v48 is not supported by the currently used version of gsutil. Therefore, this MR increments and sets PyOpenSSL to the latest v25 minor release as a conservative update that would ensure cryptography is sufficiently bumped.
Furthermore for more consistent builds and clarity on which version we're running, this MR also adds a pinned version for python-cryptography to be used together with PyOpenSSL to determine a version to run. For now it is set to the latest release of python cryptography supported by PyOpenSSL, which is v46.0.7.
Related issues
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
- Merge Request Title, and Description are up to date, accurate, and descriptive
- MR targeting the appropriate branch
- MR has a green pipeline on GitLab.com
- When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow
Expected (please provide an explanation if not completing)
- Test plan indicating conditions for success has been posted and passes
- Documentation created/updated
- Integration tests added to GitLab QA
- The impact any change in container size has should be evaluated
- New dependencies are managed with GitLab forked renovatebot