Overview

File _patchinfo of Package patchinfo.24761

<patchinfo incident="24761">
  <category>recommended</category>
  <rating>moderate</rating>
  <packager>msmeissn</packager>
  <summary>Recommended update for python-cryptography</summary>
<description>
This update for python-cryptography fixes the following issues:

python-cryptography was updated to 3.3.2.

update to 3.3.0:

* BACKWARDS INCOMPATIBLE: The GCM and AESGCM now require 64-bit
  to 1024-bit (8 byte to 128 byte) initialization vectors. This
  change is to conform with an upcoming OpenSSL release that will
  no longer support sizes outside this window.
* BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we
  now raise ValueError rather than UnsupportedAlgorithm when an
  unsupported cipher is used. This change is to conform with an
  upcoming OpenSSL release that will no longer distinguish
  between error types.
* BACKWARDS INCOMPATIBLE: We no longer allow loading of finite
  field Diffie-Hellman parameters of less than 512 bits in
  length. This change is to conform with an upcoming OpenSSL
  release that no longer supports smaller sizes. These keys were
  already wildly insecure and should not have been used in any
  application outside of testing.
* Added the recover_data_from_signature() function to
  RSAPublicKey for recovering the signed data from an RSA
  signature. 

Update to 3.2.1:

Disable blinding on RSA public keys to address an error with
some versions of OpenSSL.

update to 3.2 (bsc#1178168, CVE-2020-25659):

* CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time,
  to protect against Bleichenbacher vulnerabilities. Due to limitations imposed
  by our API, we cannot completely mitigate this vulnerability.
* Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.

update to 3.1:

* **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
  :term:`U-label` parsing in various X.509 classes. This support was originally
  deprecated in version 2.1 and moved to an extra in 2.5.
* ``backend`` arguments to functions are no longer required and the
  default backend will automatically be selected if no ``backend`` is provided.
* Added initial support for parsing certificates from PKCS7 files with
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates`
  and
  :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates`
  .
* Calling ``update`` or ``update_into`` on
  :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with ``data``
  longer than 2\ :sup:`31` bytes no longer raises an ``OverflowError``. This
  also resolves the same issue in :doc:`/fernet`.

update to 3.0:

* RSA generate_private_key() no longer accepts public_exponent values except
   65537 and 3 (the latter for legacy purposes).
* X.509 certificate parsing now enforces that the version field contains
   a valid value, rather than deferring this check until version is accessed.
* Deprecated support for Python 2
* Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa
   private keys: load_ssh_private_key() for loading and OpenSSH for writing.
* Added support for OpenSSH certificates to load_ssh_public_key().
* Added encrypt_at_time() and decrypt_at_time() to Fernet.
* Added support for the SubjectInformationAccess X.509 extension.
* Added support for parsing SignedCertificateTimestamps in OCSP responses.
* Added support for parsing attributes in certificate signing requests via get_attribute_for_oid().
* Added support for encoding attributes in certificate signing requests via add_attribute().
* On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s built-in CSPRNG
   instead of its own OS random engine because these versions of OpenSSL properly reseed on fork.
* Added initial support for creating PKCS12 files with serialize_key_and_certificates().

Update to 2.9:

* BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to
  low usage and maintenance burden.
* BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed.
  Users on older version of OpenSSL will need to upgrade.
* BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed.
* Removed support for calling public_bytes() with no arguments, as per 
  our deprecation policy. You must now pass encoding and format.
* BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string()
  returns the RDNs as required by RFC 4514.
* Added support for parsing single_extensions in an OCSP response.
* NameAttribute values can now be empty strings.

</description>
  <issue id="1198331" tracker="bnc"/>
  <issue id="PM-3445" tracker="jsc"/>
</patchinfo>
openSUSE Build Service is sponsored by
Places