[AUTOPATCHER-CORE] Upgrade python-ecdsa to 0.19.2 for CVE-2026-33936

[CBL-Mariner-Bot]

[AUTOPATCHER-CORE] Upgrade python-ecdsa to 0.19.2 for CVE-2026-33936
Upgrade pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1080628&view=results

[Kanishk-Bansal]

Buddy Build

[Kanishk-Bansal]

AI analysis the changes between python-ecdsa 0.18.0 and 0.19.2 to assess upgrade safety. Let me gather the relevant information.Yes, it's safe to upgrade. The upgrade from 0.18.0 → 0.19.2 spans 3 releases with no breaking changes — only additive features, bug fixes, and a security patch. Here's the summary:

---

Release-by-Release Changelog

0.19.0 (Apr 2024)

Category	Details
New API	to_ssh method on VerifyingKey and SigningKey (Ed25519 keys only)
New features	Support for twisted Brainpool curves
Deprecations	int_to_string, string_to_int, digest_integer from ecdsa.ecdsa are now deprecated (still functional, will be removed in a future release)
Maintenance	Dropped CI support for Python 3.3/3.4; added Python 3.11/3.12; removed unused _rwlock module

0.19.1 (Mar 2025)

Category	Details
New API	der.remove_implicit and der.encode_implicit for DER IMPLICIT values
Bug fixes	Fix arithmetic with non-prime order curves; fix curves with (0, 0) on them; fix signature canonicalization when s is just slightly above half of curve order
Maintenance	Dropped CI for Python 3.5; added Python 3.12/3.13 to CI

0.19.2 (Mar 2026)

Category	Details
🔒 Security	Fixes CVE-2026-33936 — DER parsing issue in remove_octet_string(), remove_constructed(), and remove_implicit() where a truncated buffer wasn't detected, causing SigningKey.from_der() to raise unexpected exceptions
Maintenance	CI updated to newer Ubuntu

---

Risk Assessment

Factor	Assessment
Breaking changes	✅ None
API removals	✅ None (deprecations are warnings only)
Security	⚠️ Upgrading is recommended — 0.19.2 fixes CVE-2026-33936
Backward compatibility	✅ Fully backward compatible
Python version support	✅ Broadened (adds 3.11, 3.12, 3.13)

Action Items

1. Check for deprecation warnings: If you use int_to_string, string_to_int, or digest_integer from ecdsa.ecdsa, plan to migrate away from them (they still work but will be removed eventually).
2. Upgrade confidently — this is a safe, non-breaking upgrade and is actively recommended due to the CVE fix in 0.19.2.

[Kanishk-Bansal]

Full Build

[jslobodzian]

What have we done to verify this minor upgrade is safe?

[jslobodzian]

What was done beyond ptest to confirm that this upgrade will not introduce compatibility issues?

[Kanishk-Bansal]

According to changelog, no new breaking changes Jon. Shared analysis above in the PR comment