Bump cryptography from 36.0.1 to 39.0.1
Created by: dependabot[bot]
Bumps cryptography from 36.0.1 to 39.0.1.
Changelog
Sourced from cryptography's changelog.
39.0.1 - 2023-02-07
* **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931** * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8. .. _v39-0-0: 39.0.0 - 2023-01-01
- BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.0 has been removed. Users on older version of OpenSSL will need to upgrade.
- BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.5. The new minimum LibreSSL version is 3.5.0. Going forward our policy is to support versions of LibreSSL that are available in versions of OpenBSD that are still receiving security support.
- BACKWARDS INCOMPATIBLE: Removed the
encode_point
andfrom_encoded_point
methods on :class:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers
, which had been deprecated for several years. :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes
and :meth:~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point
should be used instead.- BACKWARDS INCOMPATIBLE: Support for using MD5 or SHA1 in :class:
~cryptography.x509.CertificateBuilder
, other X.509 builders, and PKCS7 has been removed.- BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.10 and 10.11, macOS users must upgrade to 10.12 or newer.
- ANNOUNCEMENT: The next version of
cryptography
(40.0) will change the way we link OpenSSL. This will only impact users who buildcryptography
from source (i.e., not from awheel
), and specify their own version of OpenSSL. For those users, theCFLAGS
,LDFLAGS
,INCLUDE
,LIB
, andCRYPTOGRAPHY_SUPPRESS_LINK_FLAGS
environment variables will no longer be respected. Instead, users will need to configure their buildsas documented here
_.- Added support for :ref:
disabling the legacy provider in OpenSSL 3.0.x<legacy-provider>
.- Added support for disabling RSA key validation checks when loading RSA keys via :func:
~cryptography.hazmat.primitives.serialization.load_pem_private_key
, :func:~cryptography.hazmat.primitives.serialization.load_der_private_key
, and :meth:~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key
. This speeds up key loading but is :term:unsafe
if you are loading potentially attacker supplied keys.- Significantly improved performance for :class:
~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305
... (truncated)
Commits
-
d6951dc
changelog + security fix backport (#8231) -
138da90
workaround scapy bug in downstream tests (#8218) (#8228) -
69527bc
bookworm is py311 now (#8200) -
111deef
backport main branch CI to 39.0.x (#8153) -
338a65a
39.0.0 version bump (#7954) -
84a3cd7
automatically download and upload circleci wheels (#7949) -
525c0b3
Type annotate release.py (#7951) -
46d2a94
Use the latest 3.10 release when wheel building (#7953) -
f150dc1
fix CI to work with ubuntu 22.04 (#7950) -
8867724
fix README for python3 (#7947) - Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.