chore(deps): [security] bump cryptography from 41.0.7 to 42.0.0
Bumps cryptography from 41.0.7 to 42.0.0. This update includes a security fix.
Vulnerabilities fixed
Python Cryptography package vulnerable to Bleichenbacher timing oracle attack A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Patched versions: 42.0.0 Affected versions: < 42.0.0
Changelog
Sourced from cryptography's changelog.
42.0.0 - 2024-01-22
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.7. * **BACKWARDS INCOMPATIBLE:** Loading a PKCS7 with no content field using :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates` or :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates` will now raise a ``ValueError`` rather than return an empty list. * Parsing SSH certificates no longer permits malformed critical options with values, as documented in the 41.0.2 release notes. * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.0. * Updated the minimum supported Rust version (MSRV) to 1.63.0, from 1.56.0. * We now publish both ``py37`` and ``py39`` ``abi3`` wheels. This should resolve some errors relating to initializing a module multiple times per process. * Support :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS` for X.509 certificate signing requests and certificate revocation lists with the keyword-only argument ``rsa_padding`` on the ``sign`` methods for :class:`~cryptography.x509.CertificateSigningRequestBuilder` and :class:`~cryptography.x509.CertificateRevocationListBuilder`. * Added support for obtaining X.509 certificate signing request signature algorithm parameters (including PSS) via :meth:`~cryptography.x509.CertificateSigningRequest.signature_algorithm_parameters`. * Added support for obtaining X.509 certificate revocation list signature algorithm parameters (including PSS) via :meth:`~cryptography.x509.CertificateRevocationList.signature_algorithm_parameters`. * Added ``mgf`` property to :class:`~cryptography.hazmat.primitives.asymmetric.padding.PSS`. * Added ``algorithm`` and ``mgf`` properties to :class:`~cryptography.hazmat.primitives.asymmetric.padding.OAEP`. * Added the following properties that return timezone-aware ``datetime`` objects: :meth:`~cryptography.x509.Certificate.not_valid_before_utc`, :meth:`~cryptography.x509.Certificate.not_valid_after_utc`, :meth:`~cryptography.x509.RevokedCertificate.revocation_date_utc`, :meth:`~cryptography.x509.CertificateRevocationList.next_update_utc`, :meth:`~cryptography.x509.CertificateRevocationList.last_update_utc`. These are timezone-aware variants of existing properties that return naïve ``datetime`` objects. * Deprecated the following properties that return naïve ``datetime`` objects: :meth:`~cryptography.x509.Certificate.not_valid_before`, :meth:`~cryptography.x509.Certificate.not_valid_after`, :meth:`~cryptography.x509.RevokedCertificate.revocation_date`, :meth:`~cryptography.x509.CertificateRevocationList.next_update`, :meth:`~cryptography.x509.CertificateRevocationList.last_update` in favor of the new timezone-aware variants mentioned above. * Added support for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20` on LibreSSL. * Added support for RSA PSS signatures in PKCS7 with </tr></table>
... (truncated)
Commits
-
4e64baf
42.0.0 version bump (#10232) -
7cb13a3
we'll ship 3.2.0 for 42 (#9951) -
605c74e
Bump x509-limbo and/or wycheproof in CI (#10231) -
97578b9
Bump BoringSSL and/or OpenSSL in CI (#10230) -
972a7b5
verification: add test_verify_tz_aware (#10229) -
41daf2d
Migrate PKCS7 backend to Rust (#10228) -
d54093e
Remove some skips in tests that aren't needed anymore (#10223) -
71929bd
Remove binding that's not used anymore (#10224) -
7ea4b89
fixed formatting in changelog (#10225) -
410f4a1
Allow brainpool on libressl (#10222) - Additional commits viewable in compare view