diff --git a/backport-CVE-2024-26130.patch b/backport-CVE-2024-26130.patch deleted file mode 100644 index 9b0d27961d09f02c9255a7d09ae2ecf0eca571f1..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-26130.patch +++ /dev/null @@ -1,63 +0,0 @@ -From fc9611c3260f4d38a87227febf43d758938a8a75 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Mon, 19 Feb 2024 11:50:28 -0500 -Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't - match (#10423) - ---- - .../hazmat/backends/openssl/backend.py | 9 +++++++++ - tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ - 2 files changed, 27 insertions(+) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 5d9eb27..12fbebe 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -826,6 +826,15 @@ class Backend: - mac_iter, - 0, - ) -+ if p12 == self._ffi.NULL: -+ errors = self._consume_errors() -+ raise ValueError( -+ ( -+ "Failed to create PKCS12 (does the key match the " -+ "certificate?)" -+ ), -+ errors, -+ ) - - if ( - self._lib.Cryptography_HAS_PKCS12_SET_MAC -diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py -index cd9c279..cd7bcaf 100644 ---- a/tests/hazmat/primitives/test_pkcs12.py -+++ b/tests/hazmat/primitives/test_pkcs12.py -@@ -657,6 +657,24 @@ class TestPKCS12Creation: - b"name", cakey, cacert, [], algorithm - ) - -+ @pytest.mark.supported( -+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, -+ skip_message="Requires OpenSSL with PKCS12_set_mac", -+ ) -+ def test_set_mac_key_certificate_mismatch(self, backend): -+ cacert, _ = _load_ca(backend) -+ key = ec.generate_private_key(ec.SECP256R1()) -+ encryption = ( -+ serialization.PrivateFormat.PKCS12.encryption_builder() -+ .hmac_hash(hashes.SHA256()) -+ .build(b"password") -+ ) -+ -+ with pytest.raises(ValueError): -+ serialize_key_and_certificates( -+ b"name", key, cacert, [], encryption -+ ) -+ - - @pytest.mark.skip_fips( - reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." --- -2.27.0 - diff --git a/cryptography-42.0.2.tar.gz b/cryptography-42.0.2.tar.gz deleted file mode 100644 index b68881182ef1eede839a433ca3a3999b3f8366d2..0000000000000000000000000000000000000000 Binary files a/cryptography-42.0.2.tar.gz and /dev/null differ diff --git a/cryptography-42.0.7.tar.gz b/cryptography-42.0.7.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..ff609e5dc7f26a83a66a659b65fbc7504eba2489 Binary files /dev/null and b/cryptography-42.0.7.tar.gz differ diff --git a/python-cryptography.spec b/python-cryptography.spec index 79c7bb1339c691fc18ac4690c12fc13a6c006462..e448e3914458d5f356bf78c872b4c84bbe57e57f 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,11 +1,11 @@ %global pypi_name cryptography Name: python-%{pypi_name} -Version: 42.0.2 -Release: 3 +Version: 42.0.7 +Release: 1 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ -Source0: %{pypi_source %{pypi_name}} +Source0: https://github.com/pyca/cryptography/archive/%{version}/%{pypi_name}-%{version}.tar.gz # For Rust offline compile # Decompress the source code of cryptography, then enter ./src/rust directory, # execute "cargo vendor" to obtain "vendor" directory (Internet connection required), @@ -14,7 +14,6 @@ Source0: %{pypi_source %{pypi_name}} Source1: cargo-vendor-cache.tar.gz Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch -Patch6003: backport-CVE-2024-26130.patch BuildRequires: openssl-devel cargo BuildRequires: gcc @@ -90,6 +89,9 @@ EOF %doc README.rst docs %changelog +* Fri May 10 2024 wangxiaomeng - 42.0.7-1 +- upgrade version to 42.0.7 + * Thu Apr 18 2024 shixuantong - 42.0.2-3 - set debug is true for build debug package - add rust to BuildRequires