Skip to content

dependabot-pip(deps): bump openexr from 3.4.5 to 3.4.11#27

Open
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/pip/dev/openexr-3.4.11
Open

dependabot-pip(deps): bump openexr from 3.4.5 to 3.4.11#27
dependabot[bot] wants to merge 1 commit into
devfrom
dependabot/pip/dev/openexr-3.4.11

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 17, 2026

Bumps openexr from 3.4.5 to 3.4.11.

Release notes

Sourced from openexr's releases.

v3.4.11

Patch release that addresses the following security vulnerabilities:

  • CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)

  • CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion

  • CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API

  • OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress

  • OSS-fuzz 505062709 Null-dereference READ in Imf_3_3::prefixFromLayerName

Build fixes:

  • Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC

Also, some minor documentation updates:

  • GitHub Security Advisories are the preferred way of reporting vulnerabilities, not email.
  • Some clarification around handling of UFT-8 of file paths

v3.4.10

Patch release that addresses the following security vulnerabilities:

v3.4.9

Patch release that addresses several security vulnerabilities.

This release also fixes a build issue where the library symlinks would get installed in the incorrect location when overriding the cached install prefix path.

This release addresses the following CVEs:

  • CVE-2026-34589 DWA Lossy Decoder Heap Out-of-Bounds Write
  • CVE-2026-34588 Signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
  • CVE-2026-34380 Signed integer overflow (undefined behavior) in undo_pxr24_impl may allow bounds-check bypass in PXR24 decompression
  • CVE-2026-34379 Misaligned write in LossyDctDecoder_execute leading to undefined behavior (DWA/DWAB decompression)
  • CVE-2026-34378 Signed integer overflow in generic_unpack() when parsing EXR files with crafted negative dataWindow.min.x

v3.4.8

Patch release with several bug/build fixes:

  • Fix an integer-overflow bug reading malformed files compressed with B44A/B44B
  • Fix a buffer-overrun bug reading malformed files compressed with PXR24
  • Fix a bug compressing half data with ZIPS/ZIP data when the compressed size equals packed size
  • Single part files no longer get assigned a part name when writing via the python module
  • Fix a build failure on FreeBSD involving threads.h

This also eliminates several compiler warnings, particularly about the deprecated isOptimizationEnabled() API and deprecates standard attributes.

v3.4.7

... (truncated)

Changelog

Sourced from openexr's changelog.

Version 3.4.11 (April 29, 2026)

Patch release that addresses the following security vulnerabilities:

  • CVE-2026-42217 Shift exponent overflow in readVariableLengthInteger() (ImfIDManifest.cpp)
  • CVE-2026-42216 Out-of-bounds read in IDManifest::init() during prefix expansion
  • CVE-2026-41142 Integer overflow in ImageChannel::resize leads to heap OOB write via OpenEXRUtil public API

Also:

  • OSS-fuzz 504280155 Heap-buffer-overflow in DwaCompressor_uncompress
  • OSS-fuzz 505062709 Null-dereference READ in Imf_3_3::prefixFromLayerName

Build fixes:

  • Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC

Also, some minor documentation updates:

  • GitHub Security Advisories are the preferred way of reporting vulnerabilities, not email.
  • Some clarification around handling of UFT-8 of file paths

Merged Pull Requests

  • 2383 validate that the uncompressed sizes recorded in the dwa header are valid
  • 2382 Fix Null-dereference READ in prefixFromLayerName
  • 2378 Harden IDManifest parsing against illegal shift and string prefix OOB
  • 2377 Fix OOB read when expanding IDManifest prefix-compressed strings
  • 2375 Minor changes to website index page to make some sentences clearer. A…
  • 2368 Add release notes and news for v3.4.10, v3.3.10, v3.2.8
  • 2367 Fix int overflow in ImageChannel::resize pixel count
  • 2364 Recommend GH Security Advisories for vulnerability reporting
  • 2361 Add documentation and test for UTF-8 file paths
  • 2344 Fix Windows ARM64EC build issues and correct SIMD ARM NEON path for ARM64/EC

... (truncated)

Commits
  • d25e2a8 Add 2344 and 2382 to v3.4.11 notes
  • f6d6fd3 Fix Null-dereference READ (#2382)
  • e56ec07 Fix Windows ARM64EC build issues and correct SIMD ARM NEON path (#2344)
  • 8e6f745 mention doc updates in v3.4.11 release notes
  • b2d23e2 notes for v3.4.11
  • 3809488 bump version for v3.4.11
  • 20aed45 validate that the uncompressed sizes recorded in the dwa header are valid (#2...
  • b8f127c Fix int overflow in ImageChannel::resize pixel count (#2367)
  • d2baa13 Harden IDManifest parsing against illegal shift and string prefix OOB (#2378)
  • eebf599 Fix OOB read when expanding IDManifest prefix-compressed strings (#2377)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
dependabot-pip(deps): bump openexr from 3.4.5 to 3.4.11
dc38802 
Bumps [openexr](https://github.com/AcademySoftwareFoundation/OpenEXR) from 3.4.5 to 3.4.11.
- [Release notes](https://github.com/AcademySoftwareFoundation/OpenEXR/releases)
- [Changelog](https://github.com/AcademySoftwareFoundation/openexr/blob/main/CHANGES.md)
- [Commits](AcademySoftwareFoundation/openexr@v3.4.5...v3.4.11)

---
updated-dependencies:
- dependency-name: openexr
  dependency-version: 3.4.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 17, 2026

Labels

The following labels could not be found: dependencies, pip. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from vanvianen as a code owner May 17, 2026 06:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vanvianen vanvianen Awaiting requested review from vanvianen vanvianen is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants