Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update cryptography to 42.0.7 #442

Closed
wants to merge 2 commits into from

Conversation

pyup-bot
Copy link
Collaborator

@pyup-bot pyup-bot commented May 6, 2024

This PR updates cryptography from 41.0.4 to 42.0.7.

Changelog

42.0.7

~~~~~~~~~~~~~~~~~~~

* Restored Windows 7 compatibility for our pre-built wheels. Note that we do
not test on Windows 7 and wheels for our next release will not support it.
Microsoft no longer provides support for Windows 7 and users are encouraged
to upgrade.

.. _v42-0-6:

42.0.6

~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 3.9.1.

.. _v42-0-5:

42.0.5

~~~~~~~~~~~~~~~~~~~

* Limit the number of name constraint checks that will be performed in
:mod:`X.509 path validation <cryptography.x509.verification>` to protect
against denial of service attacks.
* Upgrade ``pyo3`` version, which fixes building on PowerPC.

.. _v42-0-4:

42.0.4

~~~~~~~~~~~~~~~~~~~

* Fixed a null-pointer-dereference and segfault that could occur when creating
a PKCS12 bundle. Credit to **Alexander-Programming** for reporting the
issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
definitions in :rfc:`2633` :rfc:`3370`.

.. _v42-0-3:

42.0.3

~~~~~~~~~~~~~~~~~~~

* Fixed an initialization issue that caused key loading failures for some
users.

.. _v42-0-2:

42.0.2

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.1.
* Fixed an issue that prevented the use of Python buffer protocol objects in
``sign`` and ``verify`` methods on asymmetric keys.
* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.exchange`,
``X25519PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x25519.X25519PrivateKey.exchange`,
``X448PrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.x448.X448PrivateKey.exchange`,
and ``DHPrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.dh.DHPrivateKey.exchange`.

.. _v42-0-1:

42.0.1

~~~~~~~~~~~~~~~~~~~

* Fixed an issue with incorrect keyword-argument naming with ``EllipticCurvePrivateKey``
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePrivateKey.sign`.
* Resolved compatibility issue with loading certain RSA public keys in
:func:`~cryptography.hazmat.primitives.serialization.load_pem_public_key`.

.. _v42-0-0:

42.0.0

~~~~~~~~~~~~~~~~~~~

* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7.
* **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
or
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
will now raise a ``ValueError`` rather than return an empty list.
* Parsing SSH certificates no longer permits malformed critical options with
values, as documented in the 41.0.2 release notes.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.0.
* Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0.
* We now publish both ``py37`` and ``py39`` ``abi3`` wheels. This should
resolve some errors relating to initializing a module multiple times per
process.
* Support :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for
X.509 certificate signing requests and certificate revocation lists with the
keyword-only argument ``rsa_padding`` on the ``sign`` methods for
:class:`~cryptography.x509.CertificateSigningRequestBuilder` and
:class:`~cryptography.x509.CertificateRevocationListBuilder`.
* Added support for obtaining X.509 certificate signing request signature
algorithm parameters (including PSS) via
:meth:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_parameters`.
* Added support for obtaining X.509 certificate revocation list signature
algorithm parameters (including PSS) via
:meth:`~cryptography.x509.CertificateRevocationList.signature_algorithm_parameters`.
* Added ``mgf`` property to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`.
* Added ``algorithm`` and ``mgf`` properties to
:class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`.
* Added the following properties that return timezone-aware ``datetime`` objects:
:meth:`~cryptography.x509.Certificate.not_valid_before_utc`,
:meth:`~cryptography.x509.Certificate.not_valid_after_utc`,
:meth:`~cryptography.x509.RevokedCertificate.revocation_date_utc`,
:meth:`~cryptography.x509.CertificateRevocationList.next_update_utc`,
:meth:`~cryptography.x509.CertificateRevocationList.last_update_utc`.
These are timezone-aware variants of existing properties that return naïve
``datetime`` objects.
* Deprecated the following properties that return naïve ``datetime`` objects:
:meth:`~cryptography.x509.Certificate.not_valid_before`,
:meth:`~cryptography.x509.Certificate.not_valid_after`,
:meth:`~cryptography.x509.RevokedCertificate.revocation_date`,
:meth:`~cryptography.x509.CertificateRevocationList.next_update`,
:meth:`~cryptography.x509.CertificateRevocationList.last_update`
in favor of the new timezone-aware variants mentioned above.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
on LibreSSL.
* Added support for RSA PSS signatures in PKCS7 with
:meth:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder.add_signer`.
* In the next release (43.0.0) of cryptography, loading an X.509 certificate
with a negative serial number will raise an exception. This has been
deprecated since 36.0.0.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCMSIV` when using
OpenSSL 3.2.0+.
* Added the :mod:`X.509 path validation <cryptography.x509.verification>` APIs
for :class:`~cryptography.x509.Certificate` chains. These APIs should be
considered unstable and not subject to our stability guarantees until
documented as such in a future release.
* Added support for
:class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`
:class:`~cryptography.hazmat.primitives.ciphers.modes.GCM`
when using OpenSSL 3.0 or greater.

.. _v41-0-7:

41.0.7

~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 3.8.2.

.. _v41-0-6:

41.0.6

~~~~~~~~~~~~~~~~~~~

* Fixed a null-pointer-dereference and segfault that could occur when loading
certificates from a PKCS7 bundle.  Credit to **pkuzco** for reporting the
issue. **CVE-2023-49083**

.. _v41-0-5:

41.0.5

~~~~~~~~~~~~~~~~~~~

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4.
* Added a function to support an upcoming ``pyOpenSSL`` release.

.. _v41-0-4:
Links

@pyup-bot
Copy link
Collaborator Author

Closing this in favor of #450

@pyup-bot pyup-bot closed this Jul 20, 2024
@akuzminsky akuzminsky deleted the pyup-update-cryptography-41.0.4-to-42.0.7 branch July 20, 2024 22:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant