Skip to content

Chore(deps): [security] bump cryptography from 42.0.2 to 42.0.4

HIFIS Bot requested to merge dependabot-pip-cryptography-42.0.4 into main

Bumps cryptography from 42.0.2 to 42.0.4. This update includes a security fix.

Vulnerabilities fixed

cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override If pkcs12.serialize_key_and_certificates is called with both:

  1. A certificate whose public key did not match the provided private key
  2. An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)

Then a NULL pointer dereference would occur, crashing the Python process.

This has been resolved, and now a ValueError is properly raised.

Patched in pyca/cryptography#10423

Patched versions: 42.0.4 Affected versions: >= 38.0.0, < 42.0.4

Changelog

Sourced from cryptography's changelog.

42.0.4 - 2024-02-20


* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:
42.0.3 - 2024-02-15
  • Fixed an initialization issue that caused key loading failures for some users.

.. _v42-0-2:

Commits

Merge request reports

Loading