Skip to content

[Security] Bump cryptography from 40.0.1 to 41.0.4

HIFIS Bot requested to merge dependabot-pip-cryptography-41.0.4 into main

Bumps cryptography from 40.0.1 to 41.0.4. This update includes security fixes.

Vulnerabilities fixed

cryptography mishandles SSH certificates The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

Patched versions: 41.0.2; 41.0.2 Affected versions: = 40.0.0, < 41.0.2

Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.5-40.0.2 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://www.openssl.org/news/secadv/20230530.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Patched versions: 41.0.0 Affected versions: >= 0.5, <= 40.0.2

pyca/cryptography's wheels include vulnerable OpenSSL pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8-41.0.2 are vulnerable to several security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20230731.txt, https://www.openssl.org/news/secadv/20230719.txt, and https://www.openssl.org/news/secadv/20230714.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Patched versions: 41.0.3 Affected versions: >= 0.8, < 41.0.3

Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 2.5-41.0.3 are vulnerable to several security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20230908.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Patched versions: 41.0.4 Affected versions: >= 2.5, < 41.0.4

Changelog

Sourced from cryptography's changelog.

41.0.4 - 2023-09-19


* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3.
.. _v41-0-3:
41.0.3 - 2023-08-01
  • Fixed performance regression loading DH public keys.
  • Fixed a memory leak when using :class:~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305.
  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.2.

.. _v41-0-2:

41.0.2 - 2023-07-10


* Fixed bugs in creating and parsing SSH certificates where critical options
  with values were handled incorrectly. Certificates are now created correctly
  and parsing accepts correct values as well as the previously generated
  invalid forms with a warning. In the next release, support for parsing these
  invalid forms will be removed.
.. _v41-0-1:
41.0.1 - 2023-06-01
  • Temporarily allow invalid ECDSA signature algorithm parameters in X.509 certificates, which are generated by older versions of Java.
  • Allow null bytes in pass phrases when serializing private keys.

.. _v41-0-0:

41.0.0 - 2023-05-30


* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL less than 1.1.1d has been
  removed.  Users on older version of OpenSSL will need to upgrade.
* **BACKWARDS INCOMPATIBLE:** Support for Python 3.6 has been removed.
* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.6.
* Updated the minimum supported Rust version (MSRV) to 1.56.0, from 1.48.0.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.1.
* Added support for the :class:`~cryptography.x509.OCSPAcceptableResponses`
  OCSP extension.
* Added support for the :class:`~cryptography.x509.MSCertificateTemplate`
  proprietary Microsoft certificate extension.
</tr></table> 

... (truncated)

Commits

Merge request reports

Loading