Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-cryptography for
openSUSE:Factory checked in at 2026-03-28 20:12:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-cryptography (Old)
and /work/SRC/openSUSE:Factory/.python-cryptography.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-cryptography"
Sat Mar 28 20:12:17 2026 rev:108 rq:1343139 version:46.0.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-cryptography/python-cryptography.changes
2026-02-14 21:36:49.391424184 +0100
+++
/work/SRC/openSUSE:Factory/.python-cryptography.new.8177/python-cryptography.changes
2026-03-28 20:12:20.218912026 +0100
@@ -1,0 +2,11 @@
+Fri Mar 27 09:11:38 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 46.0.6 (CVE-2026-34073, bsc#1260876):
+ * SECURITY ISSUE: Fixed a bug where name constraints were not
+ applied to peer names during verification when the leaf
+ certificate contains a wildcard DNS SAN. Ordinary X.509
+ topologies are not affected by this bug, including those used
+ by the Web PKI. Credit to Oleh Konko (1seal) for reporting
+ the issue. CVE-2026-34073
+
+-------------------------------------------------------------------
Old:
----
cryptography-46.0.5.tar.gz
New:
----
cryptography-46.0.6.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-cryptography.spec ++++++
--- /var/tmp/diff_new_pack.86SeQ4/_old 2026-03-28 20:12:21.206952754 +0100
+++ /var/tmp/diff_new_pack.86SeQ4/_new 2026-03-28 20:12:21.206952754 +0100
@@ -28,7 +28,7 @@
%{?sle15_python_module_pythons}
Name: python-cryptography%{psuffix}
# ALWAYS KEEP IN SYNC WITH python-cryptography-vectors!
-Version: 46.0.5
+Version: 46.0.6
Release: 0
Summary: Python library which exposes cryptographic recipes and
primitives
License: Apache-2.0 OR BSD-3-Clause
++++++ cryptography-46.0.5.tar.gz -> cryptography-46.0.6.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.5/CHANGELOG.rst
new/cryptography-46.0.6/CHANGELOG.rst
--- old/cryptography-46.0.5/CHANGELOG.rst 2026-02-10 20:11:41.000000000
+0100
+++ new/cryptography-46.0.6/CHANGELOG.rst 2026-03-26 00:26:23.000000000
+0100
@@ -3,6 +3,15 @@
.. _v46-0-5:
+46.0.6 - 2026-03-25
+~~~~~~~~~~~~~~~~~~~
+
+* **SECURITY ISSUE**: Fixed a bug where name constraints were not applied
+ to peer names during verification when the leaf certificate contains a
+ wildcard DNS SAN. Ordinary X.509 topologies are not affected by this bug,
+ including those used by the Web PKI. Credit to **Oleh Konko (1seal)** for
+ reporting the issue. **CVE-2026-34073**
+
46.0.5 - 2026-02-10
~~~~~~~~~~~~~~~~~~~
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.5/PKG-INFO
new/cryptography-46.0.6/PKG-INFO
--- old/cryptography-46.0.5/PKG-INFO 1970-01-01 01:00:00.000000000 +0100
+++ new/cryptography-46.0.6/PKG-INFO 1970-01-01 01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: cryptography
-Version: 46.0.5
+Version: 46.0.6
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Natural Language :: English
@@ -28,7 +28,7 @@
Requires-Dist: typing-extensions>=4.13.2 ; python_full_version < '3.11'
Requires-Dist: bcrypt>=3.1.5 ; extra == 'ssh'
Requires-Dist: nox[uv]>=2024.4.15 ; extra == 'nox'
-Requires-Dist: cryptography-vectors==46.0.5 ; extra == 'test'
+Requires-Dist: cryptography-vectors==46.0.6 ; extra == 'test'
Requires-Dist: pytest>=7.4.0 ; extra == 'test'
Requires-Dist: pytest-benchmark>=4.0 ; extra == 'test'
Requires-Dist: pytest-cov>=2.10.1 ; extra == 'test'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.5/pyproject.toml
new/cryptography-46.0.6/pyproject.toml
--- old/cryptography-46.0.5/pyproject.toml 2026-02-10 20:11:41.000000000
+0100
+++ new/cryptography-46.0.6/pyproject.toml 2026-03-26 00:26:23.000000000
+0100
@@ -16,7 +16,7 @@
[project]
name = "cryptography"
-version = "46.0.5"
+version = "46.0.6"
authors = [
{ name = "The Python Cryptographic Authority and individual contributors",
email = "[email protected]" },
]
@@ -70,7 +70,7 @@
# All the following are used for our own testing.
nox = ["nox[uv] >=2024.04.15"]
test = [
- "cryptography_vectors==46.0.5",
+ "cryptography_vectors==46.0.6",
"pytest >=7.4.0",
"pytest-benchmark >=4.0",
"pytest-cov >=2.10.1",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.5/src/cryptography/__about__.py
new/cryptography-46.0.6/src/cryptography/__about__.py
--- old/cryptography-46.0.5/src/cryptography/__about__.py 2026-02-10
20:11:41.000000000 +0100
+++ new/cryptography-46.0.6/src/cryptography/__about__.py 2026-03-26
00:26:23.000000000 +0100
@@ -10,7 +10,7 @@
"__version__",
]
-__version__ = "46.0.5"
+__version__ = "46.0.6"
__author__ = "The Python Cryptographic Authority and individual contributors"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-46.0.5/src/rust/cryptography-x509-verification/src/lib.rs
new/cryptography-46.0.6/src/rust/cryptography-x509-verification/src/lib.rs
--- old/cryptography-46.0.5/src/rust/cryptography-x509-verification/src/lib.rs
2026-02-10 20:11:41.000000000 +0100
+++ new/cryptography-46.0.6/src/rust/cryptography-x509-verification/src/lib.rs
2026-03-26 00:26:23.000000000 +0100
@@ -162,9 +162,7 @@
// match exactly one subdomain of `foo.com`. Therefore, the
NC's matching
// set is a strict superset of any possible wildcard SAN
pattern.
match (DNSConstraint::new(constraint.0),
DNSPattern::new(name.0)) {
- (Some(constraint), Some(name)) => {
- Ok(Applied(constraint.matches(name.inner_name())))
- }
+ (Some(constraint), Some(name)) =>
Ok(Applied(constraint.matches(&name))),
(_, None) =>
Err(ValidationError::new(ValidationErrorKind::Other(format!(
"unsatisfiable DNS name constraint: malformed SAN {}",
name.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-46.0.5/src/rust/cryptography-x509-verification/src/types.rs
new/cryptography-46.0.6/src/rust/cryptography-x509-verification/src/types.rs
---
old/cryptography-46.0.5/src/rust/cryptography-x509-verification/src/types.rs
2026-02-10 20:11:41.000000000 +0100
+++
new/cryptography-46.0.6/src/rust/cryptography-x509-verification/src/types.rs
2026-03-26 00:26:23.000000000 +0100
@@ -138,19 +138,6 @@
},
}
}
-
- /// Returns the inner `DNSName` within this `DNSPattern`, e.g.
- /// `foo.com` for `*.foo.com` or `example.com` for `example.com`.
- ///
- /// This API must not be used to bypass pattern matching; it exists
- /// solely to enable checks that only require the inner name, such
- /// as Name Constraint checks.
- pub fn inner_name(&self) -> &DNSName<'a> {
- match self {
- DNSPattern::Exact(dnsname) => dnsname,
- DNSPattern::Wildcard(dnsname) => dnsname,
- }
- }
}
/// A `DNSConstraint` represents a DNS name constraint as defined in [RFC 5280
4.2.1.10].
@@ -163,35 +150,45 @@
DNSName::new(pattern).map(Self)
}
- /// Returns true if this `DNSConstraint` matches the given name.
+ /// Returns true if this `DNSConstraint` matches the given `DNSPattern`.
///
/// Constraint matching is defined by RFC 5280: any DNS name that can
/// be constructed by simply adding zero or more labels to the left-hand
/// side of the name satisfies the name constraint.
///
- /// ```rust
- /// # use cryptography_x509_verification::types::{DNSConstraint, DNSName};
- /// let example_com = DNSName::new("example.com").unwrap();
- /// let badexample_com = DNSName::new("badexample.com").unwrap();
- /// let foo_example_com = DNSName::new("foo.example.com").unwrap();
- ///
assert!(DNSConstraint::new(example_com.as_str()).unwrap().matches(&example_com));
- ///
assert!(DNSConstraint::new(example_com.as_str()).unwrap().matches(&foo_example_com));
- ///
assert!(!DNSConstraint::new(example_com.as_str()).unwrap().matches(&badexample_com));
- /// ```
- pub fn matches(&self, name: &DNSName<'_>) -> bool {
- // NOTE: This may seem like an obtuse way to perform label matching,
- // but it saves us a few allocations: doing a substring check instead
- // would require us to clone each string and do case normalization.
- // Note also that we check the length in advance: Rust's zip
- // implementation terminates with the shorter iterator, so we need
- // to first check that the candidate name is at least as long as
- // the constraint it's matching against.
- name.as_str().len() >= self.0.as_str().len()
- && self
- .0
- .rlabels()
- .zip(name.rlabels())
- .all(|(a, o)| a.eq_ignore_ascii_case(o))
+ /// On top of what RFC 5280 specifies, we define behavior for wildcard
+ /// patterns (which are not covered by RFC 5280): a wildcard pattern
+ /// matches a constraint if the pattern matches the constraint's inner
name,
+ /// _or_ if the pattern's inner name matches the constraint.
+ /// This allows us to reject DNS names like `*.example.com` when
+ /// the constraint is `example.com` or `bar.example.com`.
+ pub fn matches(&self, name: &DNSPattern<'_>) -> bool {
+ match name {
+ DNSPattern::Exact(name) => {
+ // NOTE: This may seem like an obtuse way to perform label
matching,
+ // but it saves us a few allocations: doing a substring check
instead
+ // would require us to clone each string and do case
normalization.
+ // Note also that we check the length in advance: Rust's zip
+ // implementation terminates with the shorter iterator, so we
need
+ // to first check that the candidate name is at least as long
as
+ // the constraint it's matching against.
+ name.as_str().len() >= self.0.as_str().len()
+ && self
+ .0
+ .rlabels()
+ .zip(name.rlabels())
+ .all(|(a, o)| a.eq_ignore_ascii_case(o))
+ }
+ DNSPattern::Wildcard(inner) => {
+ // NOTE: This check is not as simple as a single pattern match,
+ // since we need two subtly distinct cases here:
+ // 1. Constraint `bar.example.com` on `*.example.com`
+ // 2. Constraint `example.com` on `*.example.com`
+ // The first cases is handled by `DNSPattern::matches`, and
the second is handled
+ // by `DNSConstraint::matches`.
+ name.matches(&self.0) ||
self.matches(&DNSPattern::Exact(inner.clone()))
+ }
+ }
}
}
@@ -597,14 +594,33 @@
let example_com = DNSConstraint::new("example.com").unwrap();
// Exact domain and arbitrary subdomains match.
- assert!(example_com.matches(&DNSName::new("example.com").unwrap()));
-
assert!(example_com.matches(&DNSName::new("foo.example.com").unwrap()));
-
assert!(example_com.matches(&DNSName::new("foo.bar.baz.quux.example.com").unwrap()));
+ assert!(example_com.matches(&DNSPattern::new("example.com").unwrap()));
+
assert!(example_com.matches(&DNSPattern::new("foo.example.com").unwrap()));
+
assert!(example_com.matches(&DNSPattern::new("foo.bar.baz.quux.example.com").unwrap()));
// Parent domains, distinct domains, and substring domains do not
match.
- assert!(!example_com.matches(&DNSName::new("com").unwrap()));
-
assert!(!example_com.matches(&DNSName::new("badexample.com").unwrap()));
- assert!(!example_com.matches(&DNSName::new("wrong.com").unwrap()));
+ assert!(!example_com.matches(&DNSPattern::new("com").unwrap()));
+
assert!(!example_com.matches(&DNSPattern::new("badexample.com").unwrap()));
+ assert!(!example_com.matches(&DNSPattern::new("wrong.com").unwrap()));
+ }
+
+ #[test]
+ fn test_dnsconstraint_matches_wildcard() {
+ let com = DNSConstraint::new("com").unwrap();
+ let example_com = DNSConstraint::new("example.com").unwrap();
+ let bar_example_com = DNSConstraint::new("bar.example.com").unwrap();
+ let baz_bar_example_com =
DNSConstraint::new("baz.bar.example.com").unwrap();
+ let any_example_com = DNSPattern::new("*.example.com").unwrap();
+
+ assert!(com.matches(&any_example_com));
+ assert!(example_com.matches(&any_example_com));
+ assert!(bar_example_com.matches(&any_example_com));
+
+ // A constraint on `baz.bar.example.com` doesn't match `*.example.com`,
+ // since `baz.bar.example.com` matches zero or more sublabels of
+ // `baz.bar.example.com` while `*.example.com` matches exactly one
+ // sublabel of `example.com`.
+ assert!(!baz_bar_example_com.matches(&any_example_com));
}
#[test]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-46.0.5/tests/x509/verification/test_limbo.py
new/cryptography-46.0.6/tests/x509/verification/test_limbo.py
--- old/cryptography-46.0.5/tests/x509/verification/test_limbo.py
2026-02-10 20:11:41.000000000 +0100
+++ new/cryptography-46.0.6/tests/x509/verification/test_limbo.py
2026-03-26 00:26:23.000000000 +0100
@@ -85,6 +85,16 @@
# with what webpki and rustls do, but inconsistent with Go and OpenSSL.
"rfc5280::ca-as-leaf",
"pathlen::validation-ignores-pathlen-in-leaf",
+ # These CABF SAN/CN mismatch tests are pretty niche.
+ "webpki::cn::ipv4-hex-mismatch",
+ "webpki::cn::ipv4-leading-zeros-mismatch",
+ "webpki::cn::ipv6-uppercase-mismatch",
+ "webpki::cn::ipv6-uncompressed-mismatch",
+ "webpki::cn::ipv6-non-rfc5952-mismatch",
+ "webpki::cn::punycode-not-in-san",
+ "webpki::cn::utf8-vs-punycode-mismatch",
+ "webpki::cn::not-in-san",
+ "webpki::cn::case-mismatch",
}
++++++ no-pytest_benchmark.patch ++++++
--- /var/tmp/diff_new_pack.86SeQ4/_old 2026-03-28 20:12:21.646970892 +0100
+++ /var/tmp/diff_new_pack.86SeQ4/_new 2026-03-28 20:12:21.650971057 +0100
@@ -1,10 +1,10 @@
-Index: cryptography-46.0.5/pyproject.toml
+Index: cryptography-46.0.6/pyproject.toml
===================================================================
---- cryptography-46.0.5.orig/pyproject.toml
-+++ cryptography-46.0.5/pyproject.toml
+--- cryptography-46.0.6.orig/pyproject.toml
++++ cryptography-46.0.6/pyproject.toml
@@ -72,8 +72,6 @@ nox = ["nox[uv] >=2024.04.15"]
test = [
- "cryptography_vectors==46.0.5",
+ "cryptography_vectors==46.0.6",
"pytest >=7.4.0",
- "pytest-benchmark >=4.0",
- "pytest-cov >=2.10.1",
@@ -51,10 +51,10 @@
[tool.ruff]
line-length = 79
-Index: cryptography-46.0.5/tests/bench/test_aead.py
+Index: cryptography-46.0.6/tests/bench/test_aead.py
===================================================================
---- cryptography-46.0.5.orig/tests/bench/test_aead.py
-+++ cryptography-46.0.5/tests/bench/test_aead.py
+--- cryptography-46.0.6.orig/tests/bench/test_aead.py
++++ cryptography-46.0.6/tests/bench/test_aead.py
@@ -26,84 +26,84 @@ def _aead_supported(cls):
not _aead_supported(ChaCha20Poly1305),
reason="Requires OpenSSL with ChaCha20Poly1305 support",
@@ -160,10 +160,10 @@
ct = aes.encrypt(b"\x00" * 12, b"hello world plaintext", None)
- benchmark(aes.decrypt, b"\x00" * 12, ct, None)
+ aes.decrypt(b"\x00" * 12, ct, None)
-Index: cryptography-46.0.5/tests/bench/test_ec_load.py
+Index: cryptography-46.0.6/tests/bench/test_ec_load.py
===================================================================
---- cryptography-46.0.5.orig/tests/bench/test_ec_load.py
-+++ cryptography-46.0.5/tests/bench/test_ec_load.py
+--- cryptography-46.0.6.orig/tests/bench/test_ec_load.py
++++ cryptography-46.0.6/tests/bench/test_ec_load.py
@@ -5,9 +5,9 @@
from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
@@ -178,10 +178,10 @@
- benchmark(EC_KEY_SECP256R1.private_key)
+def test_load_ec_private_numbers():
+ EC_KEY_SECP256R1.private_key()
-Index: cryptography-46.0.5/tests/bench/test_hashes.py
+Index: cryptography-46.0.6/tests/bench/test_hashes.py
===================================================================
---- cryptography-46.0.5.orig/tests/bench/test_hashes.py
-+++ cryptography-46.0.5/tests/bench/test_hashes.py
+--- cryptography-46.0.6.orig/tests/bench/test_hashes.py
++++ cryptography-46.0.6/tests/bench/test_hashes.py
@@ -5,10 +5,10 @@
from cryptography.hazmat.primitives import hashes
@@ -195,10 +195,10 @@
- benchmark(bench)
+ bench()
-Index: cryptography-46.0.5/tests/bench/test_hmac.py
+Index: cryptography-46.0.6/tests/bench/test_hmac.py
===================================================================
---- cryptography-46.0.5.orig/tests/bench/test_hmac.py
-+++ cryptography-46.0.5/tests/bench/test_hmac.py
+--- cryptography-46.0.6.orig/tests/bench/test_hmac.py
++++ cryptography-46.0.6/tests/bench/test_hmac.py
@@ -5,10 +5,10 @@
from cryptography.hazmat.primitives import hashes, hmac
@@ -212,10 +212,10 @@
- benchmark(bench)
+ bench()
-Index: cryptography-46.0.5/tests/bench/test_x509.py
+Index: cryptography-46.0.6/tests/bench/test_x509.py
===================================================================
---- cryptography-46.0.5.orig/tests/bench/test_x509.py
-+++ cryptography-46.0.5/tests/bench/test_x509.py
+--- cryptography-46.0.6.orig/tests/bench/test_x509.py
++++ cryptography-46.0.6/tests/bench/test_x509.py
@@ -13,40 +13,40 @@ from cryptography import x509
from ..utils import load_vectors_from_file
++++++ vendor.tar.zst ++++++
++++ 576540 lines of diff (skipped)
