From 67c967c2d16c29f193fde43b3c48edf0911baccd Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Mon, 20 Feb 2023 14:21:13 +0100 Subject: [PATCH] package/python-cryptography: security bump to version 39.0.1 Fix CVE-2023-23931: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r https://cryptography.io/en/latest/changelog/#v39-0-1 Signed-off-by: Fabrice Fontaine Signed-off-by: Peter Korsgaard --- package/python-cryptography/python-cryptography.hash | 2 +- package/python-cryptography/python-cryptography.mk | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/python-cryptography/python-cryptography.hash b/package/python-cryptography/python-cryptography.hash index 3f2204eeb1..a23944a06f 100644 --- a/package/python-cryptography/python-cryptography.hash +++ b/package/python-cryptography/python-cryptography.hash @@ -1,5 +1,5 @@ # Locally calculated after vendoring -sha256 2d00e023261719f85caf360ee061d37ee27654a0344d1376441c8a29ea3bac86 cryptography-39.0.0.tar.gz +sha256 531348679f144d118156be5b17ddac750974cdcd9f44bb0a7cfd7ddcfee79c80 cryptography-39.0.1.tar.gz # Locally computed sha256 checksums sha256 43dad2cc752ab721cd9a9f36ece70fb53ab7713551f2d3d8694d8e8c5a06d6e2 LICENSE sha256 aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe LICENSE.APACHE diff --git a/package/python-cryptography/python-cryptography.mk b/package/python-cryptography/python-cryptography.mk index 6868ff4633..a130b2d10d 100644 --- a/package/python-cryptography/python-cryptography.mk +++ b/package/python-cryptography/python-cryptography.mk @@ -4,9 +4,9 @@ # ################################################################################ -PYTHON_CRYPTOGRAPHY_VERSION = 39.0.0 +PYTHON_CRYPTOGRAPHY_VERSION = 39.0.1 PYTHON_CRYPTOGRAPHY_SOURCE = cryptography-$(PYTHON_CRYPTOGRAPHY_VERSION).tar.gz -PYTHON_CRYPTOGRAPHY_SITE = https://files.pythonhosted.org/packages/12/e3/c46c274cf466b24e5d44df5d5cd31a31ff23e57f074a2bb30931a8c9b01a +PYTHON_CRYPTOGRAPHY_SITE = https://files.pythonhosted.org/packages/6a/f5/a729774d087e50fffd1438b3877a91e9281294f985bda0fd15bf99016c78 PYTHON_CRYPTOGRAPHY_SETUP_TYPE = setuptools PYTHON_CRYPTOGRAPHY_LICENSE = Apache-2.0 or BSD-3-Clause PYTHON_CRYPTOGRAPHY_LICENSE_FILES = LICENSE LICENSE.APACHE LICENSE.BSD