Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-cryptography for
openSUSE:Factory checked in at 2026-02-14 21:36:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-cryptography (Old)
and /work/SRC/openSUSE:Factory/.python-cryptography.new.1977 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-cryptography"
Sat Feb 14 21:36:22 2026 rev:107 rq:1332853 version:46.0.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-cryptography/python-cryptography.changes
2025-12-09 12:50:18.207805139 +0100
+++
/work/SRC/openSUSE:Factory/.python-cryptography.new.1977/python-cryptography.changes
2026-02-14 21:36:49.391424184 +0100
@@ -1,0 +2,19 @@
+Thu Feb 12 16:31:39 UTC 2026 - Nico Krapp <[email protected]>
+
+- Update to 46.0.5 (fixes CVE-2026-26007, bsc#1258074)
+ * An attacker could create a malicious public key that reveals portions of
+ your private key when using certain uncommon elliptic curves (binary
+ curves). This version now includes additional security checks to prevent
+ this attack. This issue only affects binary elliptic curves, which are
+ rarely used in real-world applications. Credit to XlabAI Team of Tencent
+ Xuanwu Lab and Atuin Automated Vulnerability Discovery Engine for reporting
+ the issue. CVE-2026-26007
+ * Support for SECT* binary elliptic curves is deprecated and will be removed
+ in the next release.
+- Update to 46.0.4
+ * Dropped support for win_arm64 wheels.
+ * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.
+- Update to 46.0.3
+ * Fixed compilation when using LibreSSL 4.2.0.
+
+-------------------------------------------------------------------
Old:
----
cryptography-46.0.2.tar.gz
New:
----
cryptography-46.0.5.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-cryptography.spec ++++++
--- /var/tmp/diff_new_pack.aFoNkz/_old 2026-02-14 21:36:51.423507946 +0100
+++ /var/tmp/diff_new_pack.aFoNkz/_new 2026-02-14 21:36:51.427508111 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-cryptography
#
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -28,7 +28,7 @@
%{?sle15_python_module_pythons}
Name: python-cryptography%{psuffix}
# ALWAYS KEEP IN SYNC WITH python-cryptography-vectors!
-Version: 46.0.2
+Version: 46.0.5
Release: 0
Summary: Python library which exposes cryptographic recipes and
primitives
License: Apache-2.0 OR BSD-3-Clause
++++++ cryptography-46.0.2.tar.gz -> cryptography-46.0.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.2/CHANGELOG.rst
new/cryptography-46.0.5/CHANGELOG.rst
--- old/cryptography-46.0.2/CHANGELOG.rst 2025-10-01 02:16:27.000000000
+0200
+++ new/cryptography-46.0.5/CHANGELOG.rst 2026-02-10 20:11:41.000000000
+0100
@@ -1,6 +1,36 @@
Changelog
=========
+.. _v46-0-5:
+
+46.0.5 - 2026-02-10
+~~~~~~~~~~~~~~~~~~~
+
+* An attacker could create a malicious public key that reveals portions of your
+ private key when using certain uncommon elliptic curves (binary curves).
+ This version now includes additional security checks to prevent this attack.
+ This issue only affects binary elliptic curves, which are rarely used in
+ real-world applications. Credit to **XlabAI Team of Tencent Xuanwu Lab and
+ Atuin Automated Vulnerability Discovery Engine** for reporting the issue.
+ **CVE-2026-26007**
+* Support for ``SECT*`` binary elliptic curves is deprecated and will be
+ removed in the next release.
+
+.. v46-0-4:
+
+46.0.4 - 2026-01-27
+~~~~~~~~~~~~~~~~~~~
+
+* `Dropped support for win_arm64 wheels`_.
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.
+
+.. _v46-0-3:
+
+46.0.3 - 2025-10-15
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed compilation when using LibreSSL 4.2.0.
+
.. _v46-0-2:
46.0.2 - 2025-09-30
@@ -2756,3 +2786,4 @@
.. _`main`: https://github.com/pyca/cryptography/
.. _`cffi`: https://cffi.readthedocs.io/
.. _`aws-lc`: https://github.com/aws/aws-lc
+.. _`Dropped support for win_arm64 wheels`:
https://github.com/pyca/cryptography/pull/14216
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.2/Cargo.lock
new/cryptography-46.0.5/Cargo.lock
--- old/cryptography-46.0.2/Cargo.lock 2025-10-01 02:16:27.000000000 +0200
+++ new/cryptography-46.0.5/Cargo.lock 2026-02-10 20:11:41.000000000 +0100
@@ -207,9 +207,9 @@
[[package]]
name = "openssl"
-version = "0.10.73"
+version = "0.10.74"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "8505734d46c8ab1e19a1dce3aef597ad87dcb4c37e7188231769bd6bd51cebf8"
+checksum = "24ad14dd45412269e1a30f52ad8f0664f0f4f4a89ee8fe28c3b3527021ebb654"
dependencies = [
"bitflags",
"cfg-if",
@@ -233,9 +233,9 @@
[[package]]
name = "openssl-sys"
-version = "0.9.109"
+version = "0.9.110"
source = "registry+https://github.com/rust-lang/crates.io-index";
-checksum = "90096e2e47630d78b7d1c20952dc621f957103f8bc2c8359ec81290d75238571"
+checksum = "0a9f0075ba3c21b09f8e8b2026584b1d18d49388648f2fbbf3c97ea8deced8e2"
dependencies = [
"cc",
"libc",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.2/Cargo.toml
new/cryptography-46.0.5/Cargo.toml
--- old/cryptography-46.0.2/Cargo.toml 2025-10-01 02:16:27.000000000 +0200
+++ new/cryptography-46.0.5/Cargo.toml 2026-02-10 20:11:41.000000000 +0100
@@ -24,8 +24,8 @@
asn1 = { version = "0.22.0", default-features = false }
pyo3 = { version = "0.26", features = ["abi3"] }
pyo3-build-config = { version = "0.26" }
-openssl = "0.10.73"
-openssl-sys = "0.9.108"
+openssl = "0.10.74"
+openssl-sys = "0.9.110"
[profile.release]
overflow-checks = true
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.2/PKG-INFO
new/cryptography-46.0.5/PKG-INFO
--- old/cryptography-46.0.2/PKG-INFO 1970-01-01 01:00:00.000000000 +0100
+++ new/cryptography-46.0.5/PKG-INFO 1970-01-01 01:00:00.000000000 +0100
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: cryptography
-Version: 46.0.2
+Version: 46.0.5
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Natural Language :: English
@@ -28,7 +28,7 @@
Requires-Dist: typing-extensions>=4.13.2 ; python_full_version < '3.11'
Requires-Dist: bcrypt>=3.1.5 ; extra == 'ssh'
Requires-Dist: nox[uv]>=2024.4.15 ; extra == 'nox'
-Requires-Dist: cryptography-vectors==46.0.2 ; extra == 'test'
+Requires-Dist: cryptography-vectors==46.0.5 ; extra == 'test'
Requires-Dist: pytest>=7.4.0 ; extra == 'test'
Requires-Dist: pytest-benchmark>=4.0 ; extra == 'test'
Requires-Dist: pytest-cov>=2.10.1 ; extra == 'test'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.2/docs/installation.rst
new/cryptography-46.0.5/docs/installation.rst
--- old/cryptography-46.0.2/docs/installation.rst 2025-10-01
02:16:27.000000000 +0200
+++ new/cryptography-46.0.5/docs/installation.rst 2026-02-10
20:11:41.000000000 +0100
@@ -35,7 +35,6 @@
Sid (unstable)
* x86-64 and ARM64 Alpine (latest)
* 32-bit and 64-bit Python on 64-bit Windows Server 2022
-* ARM64 Windows 11
We test compiling with ``clang`` as well as ``gcc`` and use the following
OpenSSL releases in addition to distribution provided releases from the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.2/pyproject.toml
new/cryptography-46.0.5/pyproject.toml
--- old/cryptography-46.0.2/pyproject.toml 2025-10-01 02:16:27.000000000
+0200
+++ new/cryptography-46.0.5/pyproject.toml 2026-02-10 20:11:41.000000000
+0100
@@ -16,7 +16,7 @@
[project]
name = "cryptography"
-version = "46.0.2"
+version = "46.0.5"
authors = [
{ name = "The Python Cryptographic Authority and individual contributors",
email = "[email protected]" },
]
@@ -70,7 +70,7 @@
# All the following are used for our own testing.
nox = ["nox[uv] >=2024.04.15"]
test = [
- "cryptography_vectors==46.0.2",
+ "cryptography_vectors==46.0.5",
"pytest >=7.4.0",
"pytest-benchmark >=4.0",
"pytest-cov >=2.10.1",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.2/src/cryptography/__about__.py
new/cryptography-46.0.5/src/cryptography/__about__.py
--- old/cryptography-46.0.2/src/cryptography/__about__.py 2025-10-01
02:16:27.000000000 +0200
+++ new/cryptography-46.0.5/src/cryptography/__about__.py 2026-02-10
20:11:41.000000000 +0100
@@ -10,7 +10,7 @@
"__version__",
]
-__version__ = "46.0.2"
+__version__ = "46.0.5"
__author__ = "The Python Cryptographic Authority and individual contributors"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-46.0.2/src/cryptography/hazmat/primitives/asymmetric/ec.py
new/cryptography-46.0.5/src/cryptography/hazmat/primitives/asymmetric/ec.py
--- old/cryptography-46.0.2/src/cryptography/hazmat/primitives/asymmetric/ec.py
2025-10-01 02:16:27.000000000 +0200
+++ new/cryptography-46.0.5/src/cryptography/hazmat/primitives/asymmetric/ec.py
2026-02-10 20:11:41.000000000 +0100
@@ -445,3 +445,26 @@
"The provided object identifier has no matching elliptic "
"curve class"
)
+
+
+_SECT_CURVES: tuple[type[EllipticCurve], ...] = (
+ SECT163K1,
+ SECT163R2,
+ SECT233K1,
+ SECT233R1,
+ SECT283K1,
+ SECT283R1,
+ SECT409K1,
+ SECT409R1,
+ SECT571K1,
+ SECT571R1,
+)
+
+for _curve_cls in _SECT_CURVES:
+ utils.deprecated(
+ _curve_cls,
+ __name__,
+ f"{_curve_cls.__name__} will be removed in the next release.",
+ utils.DeprecatedIn46,
+ name=_curve_cls.__name__,
+ )
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.2/src/cryptography/utils.py
new/cryptography-46.0.5/src/cryptography/utils.py
--- old/cryptography-46.0.2/src/cryptography/utils.py 2025-10-01
02:16:27.000000000 +0200
+++ new/cryptography-46.0.5/src/cryptography/utils.py 2026-02-10
20:11:41.000000000 +0100
@@ -26,6 +26,7 @@
DeprecatedIn41 = CryptographyDeprecationWarning
DeprecatedIn42 = CryptographyDeprecationWarning
DeprecatedIn43 = CryptographyDeprecationWarning
+DeprecatedIn46 = CryptographyDeprecationWarning
# If you're wondering why we don't use `Buffer`, it's because `Buffer` would
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/cryptography-46.0.2/src/rust/src/backend/ec.rs
new/cryptography-46.0.5/src/rust/src/backend/ec.rs
--- old/cryptography-46.0.2/src/rust/src/backend/ec.rs 2025-10-01
02:16:27.000000000 +0200
+++ new/cryptography-46.0.5/src/rust/src/backend/ec.rs 2026-02-10
20:11:41.000000000 +0100
@@ -135,12 +135,10 @@
) -> CryptographyResult<ECPublicKey> {
let ec = pkey.ec_key()?;
let curve = py_curve_from_curve(py, ec.group())?;
- check_key_infinity(&ec)?;
- Ok(ECPublicKey {
- pkey: pkey.to_owned(),
- curve: curve.into(),
- })
+
+ ECPublicKey::new(pkey.to_owned(), curve.into())
}
+
#[pyo3::pyfunction]
#[pyo3(signature = (curve, backend=None))]
fn generate_private_key(
@@ -198,10 +196,7 @@
let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?;
let pkey = openssl::pkey::PKey::from_ec_key(ec)?;
- Ok(ECPublicKey {
- pkey,
- curve: py_curve.into(),
- })
+ ECPublicKey::new(pkey, py_curve.into())
}
#[pyo3::pymethods]
@@ -367,6 +362,29 @@
}
}
+impl ECPublicKey {
+ fn new(
+ pkey: openssl::pkey::PKey<openssl::pkey::Public>,
+ curve: pyo3::Py<pyo3::PyAny>,
+ ) -> CryptographyResult<ECPublicKey> {
+ let ec = pkey.ec_key()?;
+ check_key_infinity(&ec)?;
+ let mut bn_ctx = openssl::bn::BigNumContext::new()?;
+ let mut cofactor = openssl::bn::BigNum::new()?;
+ ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
+ let one = openssl::bn::BigNum::from_u32(1)?;
+ if cofactor != one {
+ ec.check_key().map_err(|_| {
+ pyo3::exceptions::PyValueError::new_err(
+ "Invalid EC key (key out of range, infinity, etc.)",
+ )
+ })?;
+ }
+
+ Ok(ECPublicKey { pkey, curve })
+ }
+}
+
#[pyo3::pymethods]
impl ECPublicKey {
#[getter]
@@ -606,10 +624,7 @@
let pkey = openssl::pkey::PKey::from_ec_key(public_key)?;
- Ok(ECPublicKey {
- pkey,
- curve: self.curve.clone_ref(py),
- })
+ ECPublicKey::new(pkey, self.curve.clone_ref(py))
}
fn __eq__(
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/cryptography-46.0.2/tests/hazmat/primitives/test_ec.py
new/cryptography-46.0.5/tests/hazmat/primitives/test_ec.py
--- old/cryptography-46.0.2/tests/hazmat/primitives/test_ec.py 2025-10-01
02:16:27.000000000 +0200
+++ new/cryptography-46.0.5/tests/hazmat/primitives/test_ec.py 2026-02-10
20:11:41.000000000 +0100
@@ -1542,3 +1542,40 @@
with pytest.raises(ValueError):
key.exchange(ec.ECDH(), public_key)
+
+
+def test_invalid_sect_public_keys(backend):
+ _skip_curve_unsupported(backend, ec.SECT571K1())
+ public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1())
+ with pytest.raises(ValueError):
+ public_numbers.public_key()
+
+ point = binascii.unhexlify(
+ b"0400000000000000000000000000000000000000000000000000000000000000000"
+ b"0000000000000000000000000000000000000000000000000000000000000000000"
+ b"0000000000010000000000000000000000000000000000000000000000000000000"
+ b"0000000000000000000000000000000000000000000000000000000000000000000"
+ b"0000000000000000000001"
+ )
+ with pytest.raises(ValueError):
+ ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point)
+
+ der = binascii.unhexlify(
+ b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000"
+ b"0000000000000000000000000000000000000000000000000000000000000000000"
+ b"0000000000000000000000000000000000000000000000000000000000000100000"
+ b"0000000000000000000000000000000000000000000000000000000000000000000"
+ b"0000000000000000000000000000000000000000000000000000000000000000000"
+ b"00001"
+ )
+ with pytest.raises(ValueError):
+ serialization.load_der_public_key(der)
+
+ pem = textwrap.dedent("""-----BEGIN PUBLIC KEY-----
+ MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=
+ -----END PUBLIC KEY-----""").encode()
+ with pytest.raises(ValueError):
+ serialization.load_pem_public_key(pem)
++++++ no-pytest_benchmark.patch ++++++
--- /var/tmp/diff_new_pack.aFoNkz/_old 2026-02-14 21:36:51.923528557 +0100
+++ /var/tmp/diff_new_pack.aFoNkz/_new 2026-02-14 21:36:51.931528887 +0100
@@ -1,10 +1,10 @@
-Index: cryptography-46.0.2/pyproject.toml
+Index: cryptography-46.0.5/pyproject.toml
===================================================================
---- cryptography-46.0.2.orig/pyproject.toml
-+++ cryptography-46.0.2/pyproject.toml
+--- cryptography-46.0.5.orig/pyproject.toml
++++ cryptography-46.0.5/pyproject.toml
@@ -72,8 +72,6 @@ nox = ["nox[uv] >=2024.04.15"]
test = [
- "cryptography_vectors==46.0.2",
+ "cryptography_vectors==46.0.5",
"pytest >=7.4.0",
- "pytest-benchmark >=4.0",
- "pytest-cov >=2.10.1",
@@ -51,10 +51,10 @@
[tool.ruff]
line-length = 79
-Index: cryptography-46.0.2/tests/bench/test_aead.py
+Index: cryptography-46.0.5/tests/bench/test_aead.py
===================================================================
---- cryptography-46.0.2.orig/tests/bench/test_aead.py
-+++ cryptography-46.0.2/tests/bench/test_aead.py
+--- cryptography-46.0.5.orig/tests/bench/test_aead.py
++++ cryptography-46.0.5/tests/bench/test_aead.py
@@ -26,84 +26,84 @@ def _aead_supported(cls):
not _aead_supported(ChaCha20Poly1305),
reason="Requires OpenSSL with ChaCha20Poly1305 support",
@@ -160,10 +160,10 @@
ct = aes.encrypt(b"\x00" * 12, b"hello world plaintext", None)
- benchmark(aes.decrypt, b"\x00" * 12, ct, None)
+ aes.decrypt(b"\x00" * 12, ct, None)
-Index: cryptography-46.0.2/tests/bench/test_ec_load.py
+Index: cryptography-46.0.5/tests/bench/test_ec_load.py
===================================================================
---- cryptography-46.0.2.orig/tests/bench/test_ec_load.py
-+++ cryptography-46.0.2/tests/bench/test_ec_load.py
+--- cryptography-46.0.5.orig/tests/bench/test_ec_load.py
++++ cryptography-46.0.5/tests/bench/test_ec_load.py
@@ -5,9 +5,9 @@
from ..hazmat.primitives.fixtures_ec import EC_KEY_SECP256R1
@@ -178,10 +178,10 @@
- benchmark(EC_KEY_SECP256R1.private_key)
+def test_load_ec_private_numbers():
+ EC_KEY_SECP256R1.private_key()
-Index: cryptography-46.0.2/tests/bench/test_hashes.py
+Index: cryptography-46.0.5/tests/bench/test_hashes.py
===================================================================
---- cryptography-46.0.2.orig/tests/bench/test_hashes.py
-+++ cryptography-46.0.2/tests/bench/test_hashes.py
+--- cryptography-46.0.5.orig/tests/bench/test_hashes.py
++++ cryptography-46.0.5/tests/bench/test_hashes.py
@@ -5,10 +5,10 @@
from cryptography.hazmat.primitives import hashes
@@ -195,10 +195,10 @@
- benchmark(bench)
+ bench()
-Index: cryptography-46.0.2/tests/bench/test_hmac.py
+Index: cryptography-46.0.5/tests/bench/test_hmac.py
===================================================================
---- cryptography-46.0.2.orig/tests/bench/test_hmac.py
-+++ cryptography-46.0.2/tests/bench/test_hmac.py
+--- cryptography-46.0.5.orig/tests/bench/test_hmac.py
++++ cryptography-46.0.5/tests/bench/test_hmac.py
@@ -5,10 +5,10 @@
from cryptography.hazmat.primitives import hashes, hmac
@@ -212,10 +212,10 @@
- benchmark(bench)
+ bench()
-Index: cryptography-46.0.2/tests/bench/test_x509.py
+Index: cryptography-46.0.5/tests/bench/test_x509.py
===================================================================
---- cryptography-46.0.2.orig/tests/bench/test_x509.py
-+++ cryptography-46.0.2/tests/bench/test_x509.py
+--- cryptography-46.0.5.orig/tests/bench/test_x509.py
++++ cryptography-46.0.5/tests/bench/test_x509.py
@@ -13,40 +13,40 @@ from cryptography import x509
from ..utils import load_vectors_from_file
++++++ vendor.tar.zst ++++++
++++ 658561 lines of diff (skipped)
