[Security] Bump cryptography from 40.0.1 to 41.0.6
Bumps cryptography from 40.0.1 to 41.0.6. This update includes security fixes.
Vulnerabilities fixed
cryptography mishandles SSH certificates The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
Patched versions: 41.0.2; 41.0.2 Affected versions: = 40.0.0, < 41.0.2
Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.5-40.0.2 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://www.openssl.org/news/secadv/20230530.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
Patched versions: 41.0.0 Affected versions: >= 0.5, <= 40.0.2
pyca/cryptography's wheels include vulnerable OpenSSL pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.8-41.0.2 are vulnerable to several security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20230731.txt, https://www.openssl.org/news/secadv/20230719.txt, and https://www.openssl.org/news/secadv/20230714.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
Patched versions: 41.0.3 Affected versions: >= 0.8, < 41.0.3
Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 2.5-41.0.3 are vulnerable to several security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20230908.txt.
If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
Patched versions: 41.0.4 Affected versions: >= 2.5, < 41.0.4
cryptography vulnerable to NULL-dereference when loading PKCS7 certificates
Summary
Calling
load_pem_pkcs7_certificates
orload_der_pkcs7_certificates
could lead to a NULL-pointer dereference and segfault.PoC
Here is a Python code that triggers the issue:
from cryptography.hazmat.primitives.serialization.pkcs7 import load_der_pkcs7_certificates, load_pem_pkcs7_certificates pem_p7 = b""" -----BEGIN PKCS7----- MAsGCSqGSIb3DQEHAg== -----END PKCS7----- """ der_p7 = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" load_pem_pkcs7_certificates(pem_p7) load_der_pkcs7_certificates(der_p7)
... (truncated)
Patched versions: 41.0.6 Affected versions: >= 3.1, < 41.0.6
Changelog
Sourced from cryptography's changelog.
41.0.6 - 2023-11-27
* Fixed a null-pointer-dereference and segfault that could occur when loading certificates from a PKCS#7 bundle. Credit to **pkuzco** for reporting the issue. **CVE-2023-49083** .. _v41-0-5: 41.0.5 - 2023-10-24
- Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4.
- Added a function to support an upcoming
pyOpenSSL
release... _v41-0-4:
41.0.4 - 2023-09-19
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3. .. _v41-0-3: 41.0.3 - 2023-08-01
- Fixed performance regression loading DH public keys.
- Fixed a memory leak when using :class:
~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305
.- Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.2.
.. _v41-0-2:
41.0.2 - 2023-07-10
* Fixed bugs in creating and parsing SSH certificates where critical options with values were handled incorrectly. Certificates are now created correctly and parsing accepts correct values as well as the previously generated invalid forms with a warning. In the next release, support for parsing these invalid forms will be removed. .. _v41-0-1: 41.0.1 - 2023-06-01
- Temporarily allow invalid ECDSA signature algorithm parameters in X.509 certificates, which are generated by older versions of Java.
... (truncated)
Commits
-
f09c261
41.0.6 release (#9927) -
5012bed
bump for 41.0.5 release (#9766) -
563b119
Added binding needed for pyOpenSSL (#9739) (#9740) -
fc11bce
bump for 41.0.4 (#9629) -
b22271c
bump for 41.0.3 (#9330) -
774a4a1
Only check DH key validity when loading a private key. (#9071) (#9319) -
bfa4d95
changelog for 41.0.3 (#9320) -
0da7165
backport fix the memory leak in fixedpool (#9272) (#9309) -
7431db7
bump for 41.0.2 (#9215) -
e190ef1
Backport ssh cert fix (#9211) - Additional commits viewable in compare view