18-11 Backport: Update PyOpenSSL to 25.3.0 and pin python-cryptography to 46.0.7 (!2972) · Merge requests · GitLab.org / Build / CNG

What does this MR do?

Update PyOpenSSL to 25.3.0 and pin python-cryptography to 46.0.7

Address CVE-2026-26007 in python-cryptography by updating PyOpenSSL to 25.3.0, which supports cryptography v46. Pin python-cryptography to 46.0.7 for consistent, reproducible builds.

Add PYTHON_CRYPTOGRAPHY_VERSION as a versioned build argument passed through CI common build args and included in the toolbox version hash, ensuring cache invalidation reflects dependency changes.

Backport of: !2967 (merged)

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion

Required

Merge Request Title, and Description are up to date, accurate, and descriptive
MR targeting the appropriate branch
MR has a green pipeline on GitLab.com
When ready for review, MR is labeled "~workflow::ready for review" per the Distribution MR workflow

Expected (please provide an explanation if not completing)

Test plan indicating conditions for success has been posted and passes
Documentation created/updated
Integration tests added to GitLab QA
The impact any change in container size has should be evaluated
New dependencies are managed with GitLab forked renovatebot

Edited Jun 17, 2026 by Robert Marshall

18-11 Backport: Update PyOpenSSL to 25.3.0 and pin python-cryptography to 46.0.7

What does this MR do?

Related issues

Checklist

Required

Expected (please provide an explanation if not completing)

Merge request reports