SUSE-RU-2022:2355-1

This update for python-cryptography fixes the following issues:

python-cryptography was updated to 3.3.2.

update to 3.3.0:

• BACKWARDS INCOMPATIBLE: The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change is to conform with an upcoming OpenSSL release that will no longer support sizes outside this window.
• BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we now raise ValueError rather than UnsupportedAlgorithm when an unsupported cipher is used. This change is to conform with an upcoming OpenSSL release that will no longer distinguish between error types.
• BACKWARDS INCOMPATIBLE: We no longer allow loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.
• Added the recoverdatafrom_signature() function to RSAPublicKey for recovering the signed data from an RSA signature.

Update to 3.2.1:

Disable blinding on RSA public keys to address an error with some versions of OpenSSL.

update to 3.2 (bsc#1178168, CVE-2020-25659):

• CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability.
• Added basic support for PKCS7 signing (including SMIME) via PKCS7SignatureBuilder.

update to 3.1:

• BACKWARDS INCOMPATIBLE: Removed support for idna based :term:U-label parsing in various X.509 classes. This support was originally deprecated in version 2.1 and moved to an extra in 2.5.
• backend arguments to functions are no longer required and the default backend will automatically be selected if no backend is provided.
• Added initial support for parsing certificates from PKCS7 files with :func:~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_certificates and :func:~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_certificates .
• Calling update or update_into on :class:~cryptography.hazmat.primitives.ciphers.CipherContext with data longer than 2\ :sup:31 bytes no longer raises an OverflowError. This also resolves the same issue in :doc:/fernet.

update to 3.0:

• RSA generateprivatekey() no longer accepts public_exponent values except 65537 and 3 (the latter for legacy purposes).
• X.509 certificate parsing now enforces that the version field contains a valid value, rather than deferring this check until version is accessed.
• Deprecated support for Python 2
• Added support for OpenSSH serialization format for ec, ed25519, rsa and dsa private keys: loadsshprivate_key() for loading and OpenSSH for writing.
• Added support for OpenSSH certificates to loadsshpublic_key().
• Added encryptattime() and decryptattime() to Fernet.
• Added support for the SubjectInformationAccess X.509 extension.
• Added support for parsing SignedCertificateTimestamps in OCSP responses.
• Added support for parsing attributes in certificate signing requests via getattributefor_oid().
• Added support for encoding attributes in certificate signing requests via add_attribute().
• On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s built-in CSPRNG instead of its own OS random engine because these versions of OpenSSL properly reseed on fork.
• Added initial support for creating PKCS12 files with serializekeyand_certificates().

Update to 2.9:

• BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to low usage and maintenance burden.
• BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL will need to upgrade.
• BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed.
• Removed support for calling public_bytes() with no arguments, as per our deprecation policy. You must now pass encoding and format.
• BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string() returns the RDNs as required by RFC 4514.
• Added support for parsing single_extensions in an OCSP response.
• NameAttribute values can now be empty strings.