Skip to content

Bump citusdata/mitmproxy fork to close pyOpenSSL CVE alerts#8596

Merged
ihalatci merged 4 commits into
mainfrom
chore/bump-mitmproxy-pyopenssl
Jun 4, 2026
Merged

Bump citusdata/mitmproxy fork to close pyOpenSSL CVE alerts#8596
ihalatci merged 4 commits into
mainfrom
chore/bump-mitmproxy-pyopenssl

Conversation

@ihalatci
Copy link
Copy Markdown
Contributor

@ihalatci ihalatci commented May 28, 2026

DESCRIPTION: Update mitmproxy fork to lift pyOpenSSL cap; re-lock to 26.2.0 (closes CVE-2026-27459, CVE-2026-27448)

Summary

Bumps the mitmproxy git ref in both Pipfiles from the pinned commit SHA 70bad9a3c098... to track citusdata/mitmproxy@main. After citusdata/mitmproxy#4 (merge of upstream mitmproxy/mitmproxy@main), our fork's main caps pyOpenSSL<=27.0.0 (was <=25.3.0), unblocking the lockfile from resolving past pyOpenSSL 25.3.0.

Re-locking both Pipfiles via pipenv lock resolves pyopenssl to 26.2.0, closing all four currently-open Dependabot security alerts:

Alert CVE Severity Patched version
#126 / #125 CVE-2026-27459 (GHSA-5pwr-322w-8jr4) High >=26.0.0
#124 / #123 CVE-2026-27448 (GHSA-vp96-hxj8-p424) Low >=26.0.0

Pipfile changes

Single line per file, in both:

  • src/test/regress/Pipfile
  • .devcontainer/src/test/regress/Pipfile
-mitmproxy = {git = "https://github.com/citusdata/mitmproxy.git", ref = "70bad9a3c098f605e5f8b25553e5db5334018ff1"}
+mitmproxy = {git = "https://github.com/citusdata/mitmproxy.git", ref = "main"}

The ref="main" form is supported by pipenv for git deps; the resolved commit SHA (df5879516a57ea780e1cc88edaf2051e1d32915f — the merge commit of mitmproxy#4) is pinned in Pipfile.lock, preserving reproducibility.

Lockfile-level changes (re-lock side-effects, no Pipfile pin changes)

Dep Before After Reason
mitmproxy ref 70bad9a3... (==12.2.2) df5879516a... (==13.0.0.dev0) Fork tracking main
pyopenssl ==25.3.0 ==26.2.0 Cap lifted; fixes CVEs
asgiref ==3.11.0 ==3.11.1 Latest within range
certifi ==2026.2.25 ==2026.5.20 Latest within range
click ==8.3.2 ==8.4.1 Latest within range
filelock ==3.28.0 ==3.29.0 Latest within range
packaging ==26.1 ==26.2 Latest within range
psycopg ==3.3.3 ==3.3.4 Latest within range
pytest-asyncio ==1.3.0 ==1.4.0 Latest within range
urwid ==3.0.5 ==4.0.0 Allowed by mitmproxy main's relaxed cap
wcwidth ==0.6.0 ==0.7.0 Latest within range

Per scope direction, no other direct deps were bumped — only the security-driven mitmproxy ref change. Other transitive movements above are natural consequences of pipenv lock --clear against unchanged version constraints.

Validation

$ cd src/test/regress
$ pipenv sync
Installing dependencies from Pipfile.lock (416d8f)...
All dependencies are now up-to-date!

$ pipenv run pip show mitmproxy pyopenssl | grep -E "^Name:|^Version:"
Name: mitmproxy
Version: 13.0.0.dev0
Name: pyOpenSSL
Version: 26.2.0

Both src/test/regress/Pipfile.lock and .devcontainer/src/test/regress/Pipfile.lock are byte-identical, per the convention established in #8488 and #8547.

Notes

Closes #123
Closes #124
Closes #125
Closes #126

@ihalatci
Bump citusdata/mitmproxy fork to close pyOpenSSL CVE alerts
06916f6 
Updates the mitmproxy git ref in both Pipfiles from the pinned
commit SHA (70bad9a3c098...) to track our fork's main branch.
After citusdata/mitmproxy#4 (merge of upstream main), the fork now
caps pyOpenSSL at <=27.0.0 (was <=25.3.0), unblocking lockfile
resolution past pyOpenSSL 25.3.0.

Re-locking both Pipfiles resolves pyopenssl to 26.2.0, closing
all four open Dependabot security alerts:

  #126 / #125  CVE-2026-27459 (HIGH)  patched >=26.0.0
  #124 / #123  CVE-2026-27448 (low)   patched >=26.0.0

Other deps that naturally moved up within existing constraint
ranges during re-lock (no Pipfile-level pin changes):
  asgiref         3.11.0 -> 3.11.1
  certifi      2026.2.25 -> 2026.5.20
  click            8.3.2 -> 8.4.1
  filelock        3.28.0 -> 3.29.0
  packaging         26.1 -> 26.2
  psycopg          3.3.3 -> 3.3.4
  pytest-asyncio   1.3.0 -> 1.4.0
  urwid            3.0.5 -> 4.0.0
  wcwidth          0.6.0 -> 0.7.0

The .devcontainer/src/test/regress Pipfile.lock is kept byte-
identical to src/test/regress/Pipfile.lock per the convention
established in #8488 and #8547.

DESCRIPTION: Update mitmproxy fork to lift pyOpenSSL cap; re-lock to 26.2.0 (closes CVE-2026-27459, CVE-2026-27448)

Closes #123
Closes #124
Closes #125
Closes #126

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@codecov
Copy link
Copy Markdown

codecov Bot commented May 28, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.73%. Comparing base (c41586c) to head (168183b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #8596   +/-   ##
=======================================
  Coverage   88.73%   88.73%           
=======================================
  Files         288      288           
  Lines       64385    64385           
  Branches     8109     8109           
=======================================
+ Hits        57134    57135    +1     
  Misses       4908     4908           
+ Partials     2343     2342    -1
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ihalatci ihalatci mentioned this pull request May 28, 2026
Merged
@ihalatci ihalatci enabled auto-merge (squash) June 4, 2026 08:14
@ihalatci ihalatci merged commit efa65fc into main Jun 4, 2026
128 checks passed
@ihalatci ihalatci deleted the chore/bump-mitmproxy-pyopenssl branch June 4, 2026 08:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eaydingol eaydingol eaydingol approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@ihalatci @eaydingol