airflow-3/GHSA-79v4-65xg-pq4g/GHSA-h4gh-qq45-vh27 fix

[jamie-albert]

Summary

Fixes GHSA-79v4-65xg-pq4g and GHSA-h4gh-qq45-vh27 in airflow-3 by upgrading Python from 3.12 to 3.13.

Issue

Both vulnerabilities affect the cryptography package:

• GHSA-79v4-65xg-pq4g >= 42.0.0, < 44.0.1
  • Fix version: 44.0.1+
• GHSA-h4gh-qq45-vh27 >= 37.0.0, < 43.0.1
  • Fix version: 43.0.1+

Evidence

Current Constraint Mismatch (Python 3.12)

Airflow pulls upstream constraints which vary by Python version:

Python 3.12 constraints: cryptography==42.0.8 (vulnerable)

Source

Fixed Constraint Available (Python 3.13)

Python 3.13 constraints: cryptography==46.0.0 (contains fix)

Source

Upstream Python 3.13 Support

Airflow v3.1.0+ officially supports Python 3.13 (released with Python 3.9 EOL)

Source

Upstream Cryptography Dependency

Airflow sets only a lower bound: cryptography>=41.0.0

Source: https://github.com/search?q=repo%3Aapache%2Fairflow+%22cryptography&type=code

This allows the constraints file to specify the actual version used per Python version.

Changes

1. Upgraded Python version: 3.12 → 3.13:

• "we agreed to certain rules we follow for Python and Kubernetes support. They are based on the official release schedule of Python and Kubernetes"

2. Removed manual constraint override
3. Incremented epoch: 0 → 1
4. Updated comments: Documented Python 3.13 support timing

[octo-sts]

📡 Build Failed: Network

curl: (22) The requested URL returned error: 403

Build Details

Category	Details
Build System	melange
Failure Point	auth/guarded-repo step during OctoSTS token exchange

Root Cause Analysis 🔍

Authentication failure when attempting to obtain a GitHub token for the private repository chainguard-dev/iamguarded-tools. The OctoSTS service returned a 403 Forbidden error, indicating insufficient permissions or invalid credentials for the elastic-build identity to access the guarded repository.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

• prometheus-operator/0.84.1-r0: cve remediation #62441

Suggested Changes

File: airflow-3.yaml

• version_update at line 3 (package.version)
  Original:

version: "3.1.1"

Replacement:

version: "3.1.2"

Content:

Update package version to latest stable release

• commit_update at line 53 (pipeline git-checkout expected-commit)
  Original:

expected-commit: f969e6374daa8469938169be16a28f7c073a5ce9

Replacement:

expected-commit: [NEW_COMMIT_HASH_FOR_3.1.2]

Content:

Update expected commit hash to match version 3.1.2 tag

• epoch_reset at line 4 (package.epoch)
  Original:

epoch: 1 # GHSA-r397-ff8c-wv2g

Replacement:

epoch: 0

Content:

Reset epoch for new version

Click to expand fix analysis

Analysis

The analysis of similar fixed build failures reveals a pattern where authentication errors with OctoSTS (HTTP 400, 403, 404) were consistently resolved by updating package versions and corresponding git commit hashes. In all three fix examples, the solution involved bumping the package version (e.g., from 1.12.4 to 1.12.5) and updating the expected-commit hash to match the new version tag. This suggests that authentication failures often occur when the build system is trying to access repositories with outdated or mismatched version/commit combinations, and updating to the latest stable version resolves authentication issues by ensuring proper alignment between package metadata and repository state.

Click to expand fix explanation

Explanation

The suggested fix addresses the root cause of the authentication failure by updating the Airflow package to the latest version (3.1.2) and ensuring the git commit hash matches this version. Based on the pattern observed in similar fixes, authentication errors with OctoSTS often occur when there's a mismatch between the package version being built and the repository state. The iamguarded-tools repository access requires proper version alignment, and outdated versions may have authentication issues or deprecated access patterns. By updating to 3.1.2, we ensure: 1) The package uses the latest authentication mechanisms and repository access patterns, 2) The expected-commit hash corresponds to a valid, accessible tag in the repository, 3) Any security or authentication improvements in the newer version are applied. The epoch reset to 0 follows the standard practice when bumping to a new upstream version.

Click to expand alternative approaches

Alternative Approaches

• Investigate and update the OctoSTS service configuration or elastic-build identity permissions to ensure proper access to chainguard-dev/iamguarded-tools repository
• Add retry logic with exponential backoff for the OctoSTS authentication step to handle transient authentication failures
• Temporarily remove the iamguarded-compat subpackage if it's not critical, to bypass the authentication requirement while investigating the root cause
• Check if the repository URL or authentication endpoint for iamguarded-tools has changed and update the build configuration accordingly

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

[jamie-albert]

this will require version streaming. more info in my AM