The upstream release fixes a single issue:
- Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not
considered secure, and is supported only for backwards compatibility.)
Fixes rhbz #2371350
This fixes two issues from v45:
- Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle).
- Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent.
This update includes two backwards-incompatible changes with v44:
- Made SSH private key loading more consistent with other private key
loading:
:func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key`
now raises a TypeError if the key is unencrypted but a password is
provided (previously no exception was raised), and raises a
TypeError if the key is encrypted but no password is provided
(previously a ValueError was raised).
- The :meth:`VerifiedClient.subject
<cryptography.x509.verification.VerifiedClient.subjects>` property
can now be None since a custom extension policy may allow
certificates without a Subject Alternative Name extension.
Full changelog: https://github.com/pyca/cryptography/blob/45.0.2/CHANGELOG.rst
This release is largely adding new features. One behavioral which might
cause issues is:
- Enforce the RFC 5280 requirement that extended key usage extensions must not be empty.
Complete changelog: https://github.com/pyca/cryptography/blob/44.0.0/CHANGELOG.rst
Additionally, this builds the package with OPENSSL_NO_ENGINE=1
This drops the skip-overflow-tests-32bit.patch as its included in
v43.0.0. It picks up the patch in
https://github.com/pyca/cryptography/pull/11328 to allow building with
OPENSSL_NO_ENGINE=1.
This reverts commit 2220bc3f08 and bumps
the version up from 42.0.5 to 42.0.8.
Additionally, a dependency on the openssl-devel-engine is necessary.
Longer-term this should be dropped[0].
[0] https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine
Co-authored-by: Christian Heimes <cheimes@redhat.com>
python-cryptography now uses source bundle from Github, which contains
sources of vectors, too. Tests are no longer depending on
python3-cryptography-vectors. Instead tests are using the bundles
vectors package.
Resolves RHBZ#1952024
