Skip to content

Latest commit

 

History

History
2534 lines (2047 loc) · 101 KB

CHANGELOG.rst

File metadata and controls

2534 lines (2047 loc) · 101 KB

Changelog

44.0.0 - main

Note

This version is not yet released and is under active development.

  • Deprecated Python 3.7 support. Python 3.7 is no longer supported by the Python core team. Support for Python 3.7 will be removed in a future cryptography release.
  • Enforce the RFC 5280 requirement that extended key usage extensions must not be empty.
  • Added support for timestamp extraction to the :class:`~cryptography.fernet.MultiFernet` class.
  • Relax the Authority Key Identifier requirements on root CA certificates during X.509 verification to allow fields permitted by RFC 5280 but forbidden by the CA/Browser BRs.

43.0.1 - 2024-09-03

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.3.2.

43.0.0 - 2024-07-20

42.0.8 - 2024-06-04

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.2.2.

42.0.7 - 2024-05-06

  • Restored Windows 7 compatibility for our pre-built wheels. Note that we do not test on Windows 7 and wheels for our next release will not support it. Microsoft no longer provides support for Windows 7 and users are encouraged to upgrade.

42.0.6 - 2024-05-04

  • Fixed compilation when using LibreSSL 3.9.1.

42.0.5 - 2024-02-23

42.0.4 - 2024-02-20

  • Fixed a null-pointer-dereference and segfault that could occur when creating a PKCS#12 bundle. Credit to Alexander-Programming for reporting the issue. CVE-2024-26130
  • Fixed ASN.1 encoding for PKCS7/SMIME signed messages. The fields SMIMECapabilities and SignatureAlgorithmIdentifier should now be correctly encoded according to the definitions in RFC 2633 RFC 3370.

42.0.3 - 2024-02-15

  • Fixed an initialization issue that caused key loading failures for some users.

42.0.2 - 2024-01-30

42.0.1 - 2024-01-24

42.0.0 - 2024-01-22

41.0.7 - 2023-11-27

  • Fixed compilation when using LibreSSL 3.8.2.

41.0.6 - 2023-11-27

  • Fixed a null-pointer-dereference and segfault that could occur when loading certificates from a PKCS#7 bundle. Credit to pkuzco for reporting the issue. CVE-2023-49083

41.0.5 - 2023-10-24

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.4.
  • Added a function to support an upcoming pyOpenSSL release.

41.0.4 - 2023-09-19

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.1.3.

41.0.3 - 2023-08-01

41.0.2 - 2023-07-10

  • Fixed bugs in creating and parsing SSH certificates where critical options with values were handled incorrectly. Certificates are now created correctly and parsing accepts correct values as well as the previously generated invalid forms with a warning. In the next release, support for parsing these invalid forms will be removed.

41.0.1 - 2023-06-01

  • Temporarily allow invalid ECDSA signature algorithm parameters in X.509 certificates, which are generated by older versions of Java.
  • Allow null bytes in pass phrases when serializing private keys.

41.0.0 - 2023-05-30

40.0.2 - 2023-04-14

  • Fixed compilation when using LibreSSL 3.7.2.
  • Added some functions to support an upcoming pyOpenSSL release.

40.0.1 - 2023-03-24

  • Fixed a bug where certain operations would fail if an object happened to be in the top-half of the memory-space. This only impacted 32-bit systems.

40.0.0 - 2023-03-24

39.0.2 - 2023-03-02

  • Fixed a bug where the content type header was not properly encoded for PKCS7 signatures when using the Text option and SMIME encoding.

39.0.1 - 2023-02-07

  • SECURITY ISSUE - Fixed a bug where Cipher.update_into accepted Python buffer protocol objects, but allowed immutable buffers. CVE-2023-23931
  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8.

39.0.0 - 2023-01-01

38.0.4 - 2022-11-27

  • Fixed compilation when using LibreSSL 3.6.0.
  • Fixed error when using py2app to build an application with a cryptography dependency.

38.0.3 - 2022-11-01

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.7, which resolves CVE-2022-3602 and CVE-2022-3786.

38.0.2 - 2022-10-11 (YANKED)

Attention!

This release was subsequently yanked from PyPI due to a regression in OpenSSL.

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.

38.0.1 - 2022-09-07

  • Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically seen in large CRLs).

38.0.0 - 2022-09-06

37.0.4 - 2022-07-05

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.5.

37.0.3 - 2022-06-21 (YANKED)

Attention!

This release was subsequently yanked from PyPI due to a regression in OpenSSL.

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.4.

37.0.2 - 2022-05-03

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.3.
  • Added a constant needed for an upcoming pyOpenSSL release.

37.0.1 - 2022-04-27

  • Fixed an issue where parsing an encrypted private key with the public loader functions would hang waiting for console input on OpenSSL 3.0.x rather than raising an error.
  • Restored some legacy symbols for older pyOpenSSL users. These will be removed again in the future, so pyOpenSSL users should still upgrade to the latest version of that package when they upgrade cryptography.

37.0.0 - 2022-04-26

36.0.2 - 2022-03-15

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.

36.0.1 - 2021-12-14

  • Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.

36.0.0 - 2021-11-21

35.0.0 - 2021-09-29

  • Changed the :ref:`version scheme <api-stability:versioning>`. This will result in us incrementing the major version more frequently, but does not change our existing backwards compatibility policy.
  • BACKWARDS INCOMPATIBLE: The :doc:`/x509/index` PEM parsers now require that the PEM string passed have PEM delimiters of the correct type. For example, parsing a private key PEM concatenated with a certificate PEM will no longer be accepted by the PEM certificate parser.
  • BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows negative serial numbers. RFC 5280 has always prohibited these.
  • BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during :doc:`/x509/index` parsing will raise an error on initial parse rather than when the malformed field is accessed.
  • Rust is now required for building cryptography, the CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected.
  • Parsers for :doc:`/x509/index` no longer use OpenSSL and have been rewritten in Rust. This should be backwards compatible (modulo the items listed above) and improve both security and performance.
  • Added support for OpenSSL 3.0.0 as a compilation target.
  • Added support for :class:`~cryptography.hazmat.primitives.hashes.SM3` and :class:`~cryptography.hazmat.primitives.ciphers.algorithms.SM4`, when using OpenSSL 1.1.1. These algorithms are provided for compatibility in regions where they may be required, and are not generally recommended.
  • We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine Linux should ensure they upgrade to the latest pip to correctly receive wheels.
  • Added rfc4514_attribute_name attribute to :attr:`x509.NameAttribute <cryptography.x509.NameAttribute.rfc4514_attribute_name>`.
  • Added :class:`~cryptography.hazmat.primitives.kdf.kbkdf.KBKDFCMAC`.

3.4.8 - 2021-08-24

  • Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1l.

3.4.7 - 2021-03-25

  • Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1k.

3.4.6 - 2021-02-16

  • Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1j.

3.4.5 - 2021-02-13

  • Various improvements to type hints.
  • Lower the minimum supported Rust version (MSRV) to >=1.41.0. This change improves compatibility with system-provided Rust on several Linux distributions.
  • cryptography will be switching to a new versioning scheme with its next feature release. More information is available in our :doc:`/api-stability` documentation.

3.4.4 - 2021-02-09

  • Added a py.typed file so that mypy will know to use our type annotations.
  • Fixed an import cycle that could be triggered by certain import sequences.

3.4.3 - 2021-02-08

  • Specify our supported Rust version (>=1.45.0) in our setup.py so users on older versions will get a clear error message.

3.4.2 - 2021-02-08

  • Improvements to make the rust transition a bit easier. This includes some better error messages and small dependency fixes. If you experience installation problems Be sure to update pip first, then check the :doc:`FAQ </faq>`.

3.4.1 - 2021-02-07

  • Fixed a circular import issue.
  • Added additional debug output to assist users seeing installation errors due to outdated pip or missing rustc.

3.4 - 2021-02-07

  • BACKWARDS INCOMPATIBLE: Support for Python 2 has been removed.
  • We now ship manylinux2014 wheels and no longer ship manylinux1 wheels. Users should upgrade to the latest pip to ensure this doesn't cause issues downloading wheels on their platform.
  • cryptography now incorporates Rust code. Users building cryptography themselves will need to have the Rust toolchain installed. Users who use an officially produced wheel will not need to make any changes. The minimum supported Rust version is 1.45.0.
  • cryptography now has PEP 484 type hints on nearly all of of its public APIs. Users can begin using them to type check their code with mypy.

3.3.2 - 2021-02-07

  • SECURITY ISSUE: Fixed a bug where certain sequences of update() calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows. CVE-2020-36242 Update: This fix is a workaround for CVE-2021-23840 in OpenSSL, fixed in OpenSSL 1.1.1j.

3.3.1 - 2020-12-09

  • Re-added a legacy symbol causing problems for older pyOpenSSL users.

3.3 - 2020-12-08

  • BACKWARDS INCOMPATIBLE: Support for Python 3.5 has been removed due to low usage and maintenance burden.
  • BACKWARDS INCOMPATIBLE: The :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` and :class:`~cryptography.hazmat.primitives.ciphers.aead.AESGCM` now require 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change is to conform with an upcoming OpenSSL release that will no longer support sizes outside this window.
  • BACKWARDS INCOMPATIBLE: When deserializing asymmetric keys we now raise ValueError rather than UnsupportedAlgorithm when an unsupported cipher is used. This change is to conform with an upcoming OpenSSL release that will no longer distinguish between error types.
  • BACKWARDS INCOMPATIBLE: We no longer allow loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.
  • Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1i.
  • Python 2 support is deprecated in cryptography. This is the last release that will support Python 2.
  • Added the :meth:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey.recover_data_from_signature` function to :class:`~cryptography.hazmat.primitives.asymmetric.rsa.RSAPublicKey` for recovering the signed data from an RSA signature.

3.2.1 - 2020-10-27

  • Disable blinding on RSA public keys to address an error with some versions of OpenSSL.

3.2 - 2020-10-25

  • SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more constant time, to protect against Bleichenbacher vulnerabilities. Due to limitations imposed by our API, we cannot completely mitigate this vulnerability and a future release will contain a new API which is designed to be resilient to these for contexts where it is required. Credit to Hubert Kario for reporting the issue. CVE-2020-25659
  • Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL will need to upgrade.
  • Added basic support for PKCS7 signing (including SMIME) via :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.

3.1.1 - 2020-09-22

  • Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1h.

3.1 - 2020-08-26

3.0 - 2020-07-20

2.9.2 - 2020-04-22

  • Updated the macOS wheel to fix an issue where it would not run on macOS versions older than 10.15.

2.9.1 - 2020-04-21

  • Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1g.

2.9 - 2020-04-02

2.8 - 2019-10-16

2.7 - 2019-05-30

2.6.1 - 2019-02-27

  • Resolved an error in our build infrastructure that broke our Python3 wheels for macOS and Linux.

2.6 - 2019-02-27

2.5 - 2019-01-22

2.4.2 - 2018-11-21

  • Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0j.

2.4.1 - 2018-11-11

  • Fixed a build breakage in our manylinux1 wheels.

2.4 - 2018-11-11

  • BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL 2.4.x.
  • Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by the OpenSSL project. At this time there is no time table for dropping support, however we strongly encourage all users to upgrade or install cryptography from a wheel.
  • Added initial :doc:`OCSP </x509/ocsp>` support.
  • Added support for :class:`~cryptography.x509.PrecertPoison`.

2.3.1 - 2018-08-14

  • Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0i.

2.3 - 2018-07-18

2.2.2 - 2018-03-27

  • Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0h.

2.2.1 - 2018-03-20

2.2 - 2018-03-19

2.1.4 - 2017-11-29

  • Added X509_up_ref for an upcoming pyOpenSSL release.

2.1.3 - 2017-11-02

  • Updated Windows, macOS, and manylinux1 wheels to be compiled with OpenSSL 1.1.0g.

2.1.2 - 2017-10-24

  • Corrected a bug with the manylinux1 wheels where OpenSSL's stack was marked executable.

2.1.1 - 2017-10-12

  • Fixed support for install with the system pip on Ubuntu 16.04.

2.1 - 2017-10-11

2.0.3 - 2017-08-03

  • Fixed an issue with weak linking symbols when compiling on macOS versions older than 10.12.

2.0.2 - 2017-07-27

  • Marked all symbols as hidden in the manylinux1 wheel to avoid a bug with symbol resolution in certain scenarios.

2.0.1 - 2017-07-26

  • Fixed a compilation bug affecting OpenBSD.
  • Altered the manylinux1 wheels to statically link OpenSSL instead of dynamically linking and bundling the shared object. This should resolve crashes seen when using uwsgi or other binaries that link against OpenSSL independently.
  • Fixed the stack level for the signer and verifier warnings.

2.0 - 2017-07-17

1.9 - 2017-05-29

1.8.2 - 2017-05-26

  • Fixed a compilation bug affecting OpenSSL 1.1.0f.
  • Updated Windows and macOS wheels to be compiled against OpenSSL 1.1.0f.

1.8.1 - 2017-03-10

  • Fixed macOS wheels to properly link against 1.1.0 rather than 1.0.2.

1.8 - 2017-03-09

1.7.2 - 2017-01-27

  • Updated Windows and macOS wheels to be compiled against OpenSSL 1.0.2k.

1.7.1 - 2016-12-13

  • Fixed a regression in int_from_bytes where it failed to accept bytearray.

1.7 - 2016-12-12

1.6 - 2016-11-22

1.5.3 - 2016-11-05

  • SECURITY ISSUE: Fixed a bug where HKDF would return an empty byte-string if used with a length less than algorithm.digest_size. Credit to Markus Döring for reporting the issue. CVE-2016-9243

1.5.2 - 2016-09-26

  • Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2j.

1.5.1 - 2016-09-22

  • Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2i.
  • Resolved a UserWarning when used with cffi 1.8.3.
  • Fixed a memory leak in name creation with X.509.
  • Added a workaround for old versions of setuptools.
  • Fixed an issue preventing cryptography from compiling against OpenSSL 1.0.2i.

1.5 - 2016-08-26

1.4 - 2016-06-04

1.3.4 - 2016-06-03

  • Added another OpenSSL function to the bindings to support an upcoming pyOpenSSL release.

1.3.3 - 2016-06-02

  • Added two new OpenSSL functions to the bindings to support an upcoming pyOpenSSL release.

1.3.2 - 2016-05-04

  • Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2h.
  • Fixed an issue preventing cryptography from compiling against LibreSSL 2.3.x.

1.3.1 - 2016-03-21

  • Fixed a bug that caused an AttributeError when using mock to patch some cryptography modules.

1.3 - 2016-03-18

1.2.3 - 2016-03-01

  • Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2g.

1.2.2 - 2016-01-29

  • Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2f.

1.2.1 - 2016-01-08

  • Reverts a change to an OpenSSL EVP_PKEY object that caused errors with pyOpenSSL.

1.2 - 2016-01-08

1.1.2 - 2015-12-10

  • Fixed a SIGBUS crash with the OS X wheels caused by redefinition of a method.
  • Fixed a runtime error undefined symbol EC_GFp_nistp224_method that occurred with some OpenSSL installations.
  • Updated Windows and OS X wheels to be compiled against OpenSSL 1.0.2e.

1.1.1 - 2015-11-19

  • Fixed several small bugs related to compiling the OpenSSL bindings with unusual OpenSSL configurations.
  • Resolved an issue where, depending on the method of installation and which Python interpreter they were using, users on El Capitan (OS X 10.11) may have seen an InternalError on import.

1.1 - 2015-10-28

1.0.2 - 2015-09-27

  • SECURITY ISSUE: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with -O these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from assert to a true function call. Credit Emilia Käsper (Google Security Team) for the report.

1.0.1 - 2015-09-05

  • We now ship OS X wheels that statically link OpenSSL by default. When installing a wheel on OS X 10.10+ (and using a Python compiled against the 10.10 SDK) users will no longer need to compile. See :doc:`/installation` for alternate installation methods if required.
  • Set the default string mask to UTF-8 in the OpenSSL backend to resolve character encoding issues with older versions of OpenSSL.
  • Several new OpenSSL bindings have been added to support a future pyOpenSSL release.
  • Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+.

1.0 - 2015-08-12

0.9.3 - 2015-07-09

  • Updated Windows wheels to be compiled against OpenSSL 1.0.2d.

0.9.2 - 2015-07-04

  • Updated Windows wheels to be compiled against OpenSSL 1.0.2c.

0.9.1 - 2015-06-06

  • SECURITY ISSUE: Fixed a double free in the OpenSSL backend when using DSA to verify signatures. Note that this only affects PyPy 2.6.0 and (presently unreleased) CFFI versions greater than 1.1.0.

0.9 - 2015-05-13

0.8.2 - 2015-04-10

  • Fixed a race condition when initializing the OpenSSL or CommonCrypto backends in a multi-threaded scenario.

0.8.1 - 2015-03-20

  • Updated Windows wheels to be compiled against OpenSSL 1.0.2a.

0.8 - 2015-03-08

0.7.2 - 2015-01-16

  • Updated Windows wheels to be compiled against OpenSSL 1.0.1l.
  • enum34 is no longer installed on Python 3.4, where it is included in the standard library.
  • Added a new function to the OpenSSL bindings to support additional functionality in pyOpenSSL.

0.7.1 - 2014-12-28

  • Fixed an issue preventing compilation on platforms where OPENSSL_NO_SSL3 was defined.

0.7 - 2014-12-17

0.6.1 - 2014-10-15

  • Updated Windows wheels to be compiled against OpenSSL 1.0.1j.
  • Fixed an issue where OpenSSL 1.0.1j changed the errors returned by some functions.
  • Added our license file to the cryptography-vectors package.
  • Implemented DSA hash truncation support (per FIPS 186-3) in the OpenSSL backend. This works around an issue in 1.0.0, 1.0.0a, and 1.0.0b where truncation was not implemented.

0.6 - 2014-09-29

0.5.4 - 2014-08-20

  • Added several functions to the OpenSSL bindings to support new functionality in pyOpenSSL.
  • Fixed a redefined constant causing compilation failure with Solaris 11.2.

0.5.3 - 2014-08-06

  • Updated Windows wheels to be compiled against OpenSSL 1.0.1i.

0.5.2 - 2014-07-09

  • Add TraditionalOpenSSLSerializationBackend support to multibackend.
  • Fix compilation error on OS X 10.8 (Mountain Lion).

0.5.1 - 2014-07-07

  • Add PKCS8SerializationBackend support to multibackend.

0.5 - 2014-07-07

0.4 - 2014-05-03

0.3 - 2014-03-27

0.2.2 - 2014-03-03

  • Removed a constant definition that was causing compilation problems with specific versions of OpenSSL.

0.2.1 - 2014-02-22

  • Fix a bug where importing cryptography from multiple paths could cause initialization to fail.

0.2 - 2014-02-20

0.1 - 2014-01-08

  • Initial release.