chore(deps): [security] bump cryptography from 42.0.3 to 42.0.4 (!254) · Merge requests · HIFIS Software Deployment / GitLab E2E Testing

HIFIS Bot requested to merge dependabot-pip-cryptography-42.0.4 into main Feb 22, 2024

Bumps cryptography from 42.0.3 to 42.0.4. This update includes a security fix.

Vulnerabilities fixed

cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override If pkcs12.serialize_key_and_certificates is called with both:

A certificate whose public key did not match the provided private key

An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)

Then a NULL pointer dereference would occur, crashing the Python process.

This has been resolved, and now a ValueError is properly raised.

Patched in pyca/cryptography#10423

Patched versions: 42.0.4 Affected versions: >= 38.0.0, < 42.0.4

Changelog

Sourced from cryptography's changelog.

42.0.4 - 2024-02-20


* Fixed a null-pointer-dereference and segfault that could occur when creating
  a PKCS#12 bundle. Credit to **Alexander-Programming** for reporting the
  issue. **CVE-2024-26130**
* Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields ``SMIMECapabilities``
  and ``SignatureAlgorithmIdentifier`` should now be correctly encoded according to the
  definitions in :rfc:`2633` :rfc:`3370`.
.. _v42-0-3:

Commits

fe18470 Bump for 42.0.4 release (#10445)
aaa2dd0 Fix ASN.1 issues in PKCS#7 and S/MIME signing (#10373) (#10442)
7a4d012 Fixes #10422 -- don't crash when a PKCS#12 key and cert don't match (#10423) ...
df314bb backport actions m1 switch to 42.0.x (#10415)
See full diff in compare view

chore(deps): [security] bump cryptography from 42.0.3 to 42.0.4

Merge request reports