Recommended update for python-cryptography
Announcement ID: | SUSE-RU-2022:2355-1 |
---|---|
Rating: | moderate |
References: | |
Affected Products: |
|
An update that contains one feature and has one fix can now be installed.
Description:
This update for python-cryptography fixes the following issues:
python-cryptography was updated to 3.3.2.
update to 3.3.0:
- BACKWARDS INCOMPATIBLE: The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change is to conform with an upcoming OpenSSL release that will no longer support sizes outside this window.
- BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we now raise ValueError rather than UnsupportedAlgorithm when an unsupported cipher is used. This change is to conform with an upcoming OpenSSL release that will no longer distinguish between error types.
- BACKWARDS INCOMPATIBLE: We no longer allow loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.
- Added the recover_data_from_signature() function to RSAPublicKey for recovering the signed data from an RSA signature.
Update to 3.2.1:
Disable blinding on RSA public keys to address an error with some versions of OpenSSL.
update to 3.2 (bsc#1178168, CVE-2020-25659):
- CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability.
- Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.
update to 3.1:
- BACKWARDS INCOMPATIBLE: Removed support for
idna
based :term:U-label
parsing in various X.509 classes. This support was originally deprecated in version 2.1 and moved to an extra in 2.5. backend
arguments to functions are no longer required and the default backend will automatically be selected if nobackend
is provided.- Added initial support for parsing certificates from PKCS7 files with
:func:
~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates
and :func:~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates
. - Calling
update
orupdate_into
on :class:~cryptography.hazmat.primitives.ciphers.CipherContext
withdata
longer than 2\ :sup:31
bytes no longer raises anOverflowError
. This also resolves the same issue in :doc:/fernet
.
update to 3.0:
- RSA generate_private_key() no longer accepts public_exponent values except 65537 and 3 (the latter for legacy purposes).
- X.509 certificate parsing now enforces that the version field contains a valid value, rather than deferring this check until version is accessed.
- Deprecated support for Python 2
- Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa private keys: load_ssh_private_key() for loading and OpenSSH for writing.
- Added support for OpenSSH certificates to load_ssh_public_key().
- Added encrypt_at_time() and decrypt_at_time() to Fernet.
- Added support for the SubjectInformationAccess X.509 extension.
- Added support for parsing SignedCertificateTimestamps in OCSP responses.
- Added support for parsing attributes in certificate signing requests via get_attribute_for_oid().
- Added support for encoding attributes in certificate signing requests via add_attribute().
- On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s built-in CSPRNG instead of its own OS random engine because these versions of OpenSSL properly reseed on fork.
- Added initial support for creating PKCS12 files with serialize_key_and_certificates().
Update to 2.9:
- BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to low usage and maintenance burden.
- BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL will need to upgrade.
- BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed.
- Removed support for calling public_bytes() with no arguments, as per our deprecation policy. You must now pass encoding and format.
- BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string() returns the RDNs as required by RFC 4514.
- Added support for parsing single_extensions in an OCSP response.
- NameAttribute values can now be empty strings.
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2022-2355=1
-
Basesystem Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2355=1
Package List:
-
openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64)
- python3-cryptography-debuginfo-3.3.2-150400.16.3.1
- python3-cryptography-3.3.2-150400.16.3.1
- python-cryptography-debugsource-3.3.2-150400.16.3.1
-
openSUSE Leap 15.4 (noarch)
- python3-cryptography-vectors-3.3.2-150400.7.3.1
-
Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64)
- python3-cryptography-debuginfo-3.3.2-150400.16.3.1
- python3-cryptography-3.3.2-150400.16.3.1
- python-cryptography-debugsource-3.3.2-150400.16.3.1