SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more
constant time, to protect against Bleichenbacher vulnerabilities. Due to
limitations imposed by our API, we cannot completely mitigate this
vulnerability and a future release will contain a new API which is
designed to be resilient to these for contexts where it is required.
Credit to Hubert Kario for reporting the issue. CVE-2020-25659
Backwards incompatible changes:
- Removed support for idna based U-label parsing in various X.509
classes. This support was originally deprecated in version 2.1 and
moved to an extra in 2.5.
Backwards incompatible changes:
- Removed support for passing an Extension instance to
from_issuer_subject_key_identifier(), as per our deprecation policy.
- Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has been removed (2.9.1+
is still supported).
- Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or
newer.
- RSA generate_private_key() no longer accepts public_exponent values
except 65537 and 3 (the latter for legacy purposes).
- X.509 certificate parsing now enforces that the version field contains
a valid value, rather than deferring this check until version is
accessed.
Deprecations:
- Deprecated support for Python 2. At the time there is no time table
for actually dropping support, however we strongly encourage all users
to upgrade their Python, as Python 2 no longer receives support from
the Python core team.
Backwards incompatible changes:
- Support for Python 3.4 has been removed due to low usage and
maintenance burden.
- Support for OpenSSL 1.0.1 has been removed. Users on older version of
OpenSSL will need to upgrade.
- Support for LibreSSL 2.6.x has been removed.
- Reversed the order in which rfc4514_string() returns the RDNs as
required by RFC 4514.
Note: The first three changes should have no impact on Nixpkgs as we
already removed Python 3.4 and OpenSSL 1.0.1. Additionally we don't
support LibreSSL for this package.
Changelog:
https://cryptography.io/en/latest/changelog/#v2-8
Important changes:
- Deprecated support for OpenSSL 1.0.1. Support will be removed in
cryptography 2.9.
- cryptography no longer depends on asn1crypto.
- Added support for Python 3.8.
Changelog:
https://cryptography.io/en/latest/changelog/#v2-7
Important changes:
- BACKWARDS INCOMPATIBLE: We no longer distribute 32-bit manylinux1
wheels. Continuing to produce them was a maintenance burden.
- BACKWARDS INCOMPATIBLE: Removed the
cryptography.hazmat.primitives.mac.MACContext interface.
The CMAC and HMAC APIs have not changed, but they are no longer
registered as MACContext instances.
Changelog:
https://cryptography.io/en/latest/changelog/#v2-6-1
Important changes:
- BACKWARDS INCOMPATIBLE: Removed
cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature
and
cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature,
which had been deprecated for nearly 4 years. Use
encode_dss_signature() and decode_dss_signature() instead.
- BACKWARDS INCOMPATIBLE: Removed cryptography.x509.Certificate.serial,
which had been deprecated for nearly 3 years. Use serial_number
instead.
This should make the management easier. The package cryptography_vectors
contains the test vectors for cryptography and should therefore always
have the same version. By linking the version of cryptography_vectors to
cryptography, this simply cannot be forgotten.
