SUSE-RU-2022:2355-1: moderate: Recommended update for python-cryptography

sle-updates at lists.suse.com sle-updates at lists.suse.com
Mon Jul 11 16:16:09 UTC 2022 

   SUSE Recommended Update: Recommended update for python-cryptography
______________________________________________________________________________

Announcement ID:    SUSE-RU-2022:2355-1
Rating:             moderate
References:         #1198331 PM-3445 
Affected Products:
                    SUSE Linux Enterprise Desktop 15-SP4
                    SUSE Linux Enterprise High Performance Computing 15-SP4
                    SUSE Linux Enterprise Module for Basesystem 15-SP4
                    SUSE Linux Enterprise Server 15-SP4
                    SUSE Linux Enterprise Server for SAP Applications 15-SP4
                    SUSE Manager Proxy 4.3
                    SUSE Manager Retail Branch Server 4.3
                    SUSE Manager Server 4.3
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that has one recommended fix and contains one
   feature can now be installed.

Description:


   This update for python-cryptography fixes the following issues:

   python-cryptography was updated to 3.3.2.

   update to 3.3.0:

   * BACKWARDS INCOMPATIBLE: The GCM and AESGCM now require 64-bit to
     1024-bit (8 byte to 128 byte) initialization vectors. This change is to
     conform with an upcoming OpenSSL release that will no longer support
     sizes outside this window.
   * BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we now raise
     ValueError rather than UnsupportedAlgorithm when an unsupported cipher
     is used. This change is to conform with an upcoming OpenSSL release that
     will no longer distinguish between error types.
   * BACKWARDS INCOMPATIBLE: We no longer allow loading of finite field
     Diffie-Hellman parameters of less than 512 bits in length. This change
     is to conform with an upcoming OpenSSL release that no longer supports
     smaller sizes. These keys were already wildly insecure and should not
     have been used in any application outside of testing.
   * Added the recover_data_from_signature() function to RSAPublicKey for
     recovering the signed data from an RSA signature.

   Update to 3.2.1:

   Disable blinding on RSA public keys to address an error with some versions
   of OpenSSL.

   update to 3.2 (bsc#1178168, CVE-2020-25659):

   * CVE-2020-25659: Attempted to make RSA PKCS#1v1.5 decryption more
     constant time, to protect against Bleichenbacher vulnerabilities. Due to
     limitations imposed by our API, we cannot completely mitigate this
     vulnerability.
   * Added basic support for PKCS7 signing (including SMIME) via
     PKCS7SignatureBuilder.

   update to 3.1:

   * **BACKWARDS INCOMPATIBLE:** Removed support for ``idna`` based
     :term:`U-label` parsing in various X.509 classes. This support was
     originally deprecated in version 2.1 and moved to an extra in 2.5.
   * ``backend`` arguments to functions are no longer required and the
     default backend will automatically be selected if no ``backend`` is
     provided.
   * Added initial support for parsing certificates from PKCS7 files with
   :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_pem_pkcs7_c
     ertificates` and
   :func:`~cryptography.hazmat.primitives.serialization.pkcs7.load_der_pkcs7_c
     ertificates` .
   * Calling ``update`` or ``update_into`` on
     :class:`~cryptography.hazmat.primitives.ciphers.CipherContext` with
     ``data`` longer than 2\ :sup:`31` bytes no longer raises an
     ``OverflowError``. This also resolves the same issue in :doc:`/fernet`.

   update to 3.0:

   * RSA generate_private_key() no longer accepts public_exponent values
     except 65537 and 3 (the latter for legacy purposes).
   * X.509 certificate parsing now enforces that the version field contains a
     valid value, rather than deferring this check until version is accessed.
   * Deprecated support for Python 2
   * Added support for OpenSSH serialization format for ec, ed25519, rsa and
     dsa private keys: load_ssh_private_key() for loading and OpenSSH for
     writing.
   * Added support for OpenSSH certificates to load_ssh_public_key().
   * Added encrypt_at_time() and decrypt_at_time() to Fernet.
   * Added support for the SubjectInformationAccess X.509 extension.
   * Added support for parsing SignedCertificateTimestamps in OCSP responses.
   * Added support for parsing attributes in certificate signing requests via
     get_attribute_for_oid().
   * Added support for encoding attributes in certificate signing requests
     via add_attribute().
   * On OpenSSL 1.1.1d and higher cryptography now uses OpenSSL’s built-in
     CSPRNG instead of its own OS random engine because these versions of
     OpenSSL properly reseed on fork.
   * Added initial support for creating PKCS12 files with
     serialize_key_and_certificates().

   Update to 2.9:

   * BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to
     low usage and maintenance burden.
   * BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed.
     Users on older version of OpenSSL will need to upgrade.
   * BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed.
   * Removed support for calling public_bytes() with no arguments, as per
     our deprecation policy. You must now pass encoding and format.
   * BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string()
     returns the RDNs as required by RFC 4514.
   * Added support for parsing single_extensions in an OCSP response.
   * NameAttribute values can now be empty strings.


Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-2355=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP4:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2355=1



Package List:

   - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64):

      python-cryptography-debugsource-3.3.2-150400.16.3.1
      python3-cryptography-3.3.2-150400.16.3.1
      python3-cryptography-debuginfo-3.3.2-150400.16.3.1

   - openSUSE Leap 15.4 (noarch):

      python3-cryptography-vectors-3.3.2-150400.7.3.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64):

      python-cryptography-debugsource-3.3.2-150400.16.3.1
      python3-cryptography-3.3.2-150400.16.3.1
      python3-cryptography-debuginfo-3.3.2-150400.16.3.1


References:

   https://bugzilla.suse.com/1198331

More information about the sle-updates mailing list