Commit Graph

15 Commits

Author SHA1 Message Date
Michael Weiss
af9568fae8
python3Packages.cryptography: 3.3.1 -> 3.3.2 (security, CVE-2020-36242)
SECURITY ISSUE: Fixed a bug where certain sequences of update() calls
when symmetrically encrypting very large payloads (>2GB) could result in
an integer overflow, leading to buffer overflows. CVE-2020-36242

Note: This also updates {,vectors-}3.3.nix (for Python 2 / nixops)
because of the security issue.
2021-02-07 20:09:55 +01:00
Michael Weiss
44b7d77591
python3Packages.cryptography: 3.2.1 -> 3.3.1
Backward incompatible changes:
- Support for Python 3.5 has been removed due to low usage and
  maintenance burden.
- The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte)
  initialization vectors. This change is to conform with an upcoming
  OpenSSL release that will no longer support sizes outside this window.
- When deserializing asymmetric keys we now raise ValueError rather than
  UnsupportedAlgorithm when an unsupported cipher is used. This change
  is to conform with an upcoming OpenSSL release that will no longer
  distinguish between error types.
- We no longer allow loading of finite field Diffie-Hellman parameters
  of less than 512 bits in length. This change is to conform with an
  upcoming OpenSSL release that no longer supports smaller sizes. These
  keys were already wildly insecure and should not have been used in any
  application outside of testing.
2020-12-10 13:40:57 +01:00
Michael Weiss
c2694ef30d python3Packages.cryptography: 3.2 -> 3.2.1
Changelog:
- Disable blinding on RSA public keys to address an error with some
  versions of OpenSSL.
2020-10-29 12:20:02 -07:00
Michael Weiss
1083cdd279
python3Packages.cryptography: 3.1.1 -> 3.2 (security, CVE-2020-25659)
SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more
constant time, to protect against Bleichenbacher vulnerabilities. Due to
limitations imposed by our API, we cannot completely mitigate this
vulnerability and a future release will contain a new API which is
designed to be resilient to these for contexts where it is required.
Credit to Hubert Kario for reporting the issue. CVE-2020-25659
2020-10-26 12:19:28 +01:00
Michael Weiss
6afb5823e1
python3Packages.cryptography: 3.1 -> 3.1.1 2020-09-22 22:02:38 +02:00
Michael Weiss
16ecb025bd python3Packages.cryptography: 3.0 -> 3.1
Backwards incompatible changes:
- Removed support for idna based U-label parsing in various X.509
  classes. This support was originally deprecated in version 2.1 and
  moved to an extra in 2.5.
2020-08-29 13:35:56 +02:00
Michael Weiss
434a0111f6 python3Packages.cryptography: 2.9.2 -> 3.0
Backwards incompatible changes:
- Removed support for passing an Extension instance to
  from_issuer_subject_key_identifier(), as per our deprecation policy.
- Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has been removed (2.9.1+
  is still supported).
- Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or
  newer.
- RSA generate_private_key() no longer accepts public_exponent values
  except 65537 and 3 (the latter for legacy purposes).
- X.509 certificate parsing now enforces that the version field contains
  a valid value, rather than deferring this check until version is
  accessed.

Deprecations:
- Deprecated support for Python 2. At the time there is no time table
  for actually dropping support, however we strongly encourage all users
  to upgrade their Python, as Python 2 no longer receives support from
  the Python core team.
2020-07-22 16:54:20 +02:00
Daiderd Jordan
b7ddbd52bd
treewide: replace SRI hashes 2020-06-01 15:24:19 +02:00
Frederik Rietdijk
31c25c7a38 python.pkgs.cryptography_vectors: 2.9.1 -> 2.9.2 2020-05-11 22:13:15 +02:00
Michael Weiss
c6e3c006b1 python3Packages.cryptography: 2.9 -> 2.9.1
"Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1g."
2020-04-22 17:08:52 +02:00
Michael Weiss
af1cb9f1b5 python3Packages.cryptography: 2.8 -> 2.9
Backwards incompatible changes:
- Support for Python 3.4 has been removed due to low usage and
  maintenance burden.
- Support for OpenSSL 1.0.1 has been removed. Users on older version of
  OpenSSL will need to upgrade.
- Support for LibreSSL 2.6.x has been removed.
- Reversed the order in which rfc4514_string() returns the RDNs as
  required by RFC 4514.

Note: The first three changes should have no impact on Nixpkgs as we
already removed Python 3.4 and OpenSSL 1.0.1. Additionally we don't
support LibreSSL for this package.
2020-04-05 13:14:45 +02:00
Michael Weiss
baf5494330 python37Packages.cryptography: 2.7 -> 2.8
Changelog:
https://cryptography.io/en/latest/changelog/#v2-8

Important changes:
- Deprecated support for OpenSSL 1.0.1. Support will be removed in
  cryptography 2.9.
- cryptography no longer depends on asn1crypto.
- Added support for Python 3.8.
2019-10-20 11:07:41 +02:00
Michael Weiss
77e1967dcd
python37Packages.cryptography: 2.6.1 -> 2.7
Changelog:
https://cryptography.io/en/latest/changelog/#v2-7

Important changes:
- BACKWARDS INCOMPATIBLE: We no longer distribute 32-bit manylinux1
  wheels. Continuing to produce them was a maintenance burden.
- BACKWARDS INCOMPATIBLE: Removed the
  cryptography.hazmat.primitives.mac.MACContext interface.
  The CMAC and HMAC APIs have not changed, but they are no longer
  registered as MACContext instances.
2019-05-31 23:18:55 +02:00
Michael Weiss
047af233cd
python37Packages.cryptography: 2.5 -> 2.6.1
Changelog:
https://cryptography.io/en/latest/changelog/#v2-6-1

Important changes:
- BACKWARDS INCOMPATIBLE: Removed
  cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature
  and
  cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature,
  which had been deprecated for nearly 4 years. Use
  encode_dss_signature() and decode_dss_signature() instead.
- BACKWARDS INCOMPATIBLE: Removed cryptography.x509.Certificate.serial,
  which had been deprecated for nearly 3 years. Use serial_number
  instead.
2019-04-22 12:29:34 +02:00
Michael Weiss
22714ad6d0
python37Packages.cryptography: Improve the test vectors integration
This should make the management easier. The package cryptography_vectors
contains the test vectors for cryptography and should therefore always
have the same version. By linking the version of cryptography_vectors to
cryptography, this simply cannot be forgotten.
2019-04-22 12:29:34 +02:00