Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-pyOpenSSL for
openSUSE:Factory checked in at 2026-04-28 11:53:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-pyOpenSSL (Old)
and /work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.11940 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyOpenSSL"
Tue Apr 28 11:53:45 2026 rev:64 rq:1349507 version:26.1.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-pyOpenSSL/python-pyOpenSSL.changes
2026-03-19 17:26:47.067528325 +0100
+++
/work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.11940/python-pyOpenSSL.changes
2026-04-28 11:54:11.104056221 +0200
@@ -1,0 +2,11 @@
+Sun Apr 26 10:26:13 UTC 2026 - Dirk Müller <[email protected]>
+
+- update to 26.1.0 (CVE-2026-40475, bsc#1262803):
+ * Maximum supported cryptography version is now 47.x.
+ * Fixed X509Name field setters to correctly pass the value
+ length to OpenSSL. Previously, values containing NUL bytes
+ would be silently truncated, causing a divergence between the
+ stored ASN.1 value and the value visible from Python. Credit
+ to BudongJW for reporting the issue. CVE-2026-40475
+
+-------------------------------------------------------------------
Old:
----
pyopenssl-26.0.0.tar.gz
New:
----
pyopenssl-26.1.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-pyOpenSSL.spec ++++++
--- /var/tmp/diff_new_pack.JlKiSe/_old 2026-04-28 11:54:11.932090412 +0200
+++ /var/tmp/diff_new_pack.JlKiSe/_new 2026-04-28 11:54:11.936090577 +0200
@@ -26,7 +26,7 @@
%endif
%{?sle15_python_module_pythons}
Name: python-pyOpenSSL%{psuffix}
-Version: 26.0.0
+Version: 26.1.0
Release: 0
Summary: Python wrapper module around the OpenSSL library
License: Apache-2.0
@@ -35,14 +35,14 @@
# PATCH-FIX-UPSTREAM skip-networked-test.patch gh#pyca/pyopenssl#68
[email protected]
# Mark tests requiring network access
Patch0: skip-networked-test.patch
-BuildRequires: %{python_module base >= 3.7}
+BuildRequires: %{python_module base >= 3.8}
BuildRequires: %{python_module cffi}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: python-rpm-macros
Requires: python-cffi
-Requires: (python-cryptography >= 45.0.7 with python-cryptography < 47)
+Requires: (python-cryptography >= 46.0.0 with python-cryptography < 48)
%if %{python_version_nodots} < 313
Requires: python-typing-extensions >= 4.9
%endif
@@ -51,7 +51,7 @@
%if %{without test}
BuildArch: noarch
%else
-BuildRequires: %{python_module cryptography >= 45.0.7 with
%python-cryptography < 47}
+BuildRequires: %{python_module cryptography >= 46.0.0 with
%python-cryptography < 48}
BuildRequires: %{python_module pretend}
BuildRequires: %{python_module pyOpenSSL >= %version}
BuildRequires: %{python_module pytest >= 3.0.1}
@@ -97,7 +97,7 @@
%if !%{with test}
%files %{python_files}
%license LICENSE
-%doc *.rst
+%doc CHANGELOG.rst README.rst
%{python_sitelib}/OpenSSL/
%{python_sitelib}/py[Oo]pen[Ss][Ss][Ll]-%{version}.dist-info
%endif
++++++ pyopenssl-26.0.0.tar.gz -> pyopenssl-26.1.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/CHANGELOG.rst
new/pyopenssl-26.1.0/CHANGELOG.rst
--- old/pyopenssl-26.0.0/CHANGELOG.rst 2026-03-15 15:28:02.000000000 +0100
+++ new/pyopenssl-26.1.0/CHANGELOG.rst 2026-04-24 22:23:14.000000000 +0200
@@ -4,6 +4,21 @@
Versions are year-based with a strict backward-compatibility policy.
The third digit is only for regressions.
+26.1.0 (2026-04-24)
+-------------------
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Deprecations:
+^^^^^^^^^^^^^
+
+Changes:
+^^^^^^^^
+
+- Maximum supported ``cryptography`` version is now 47.x.
+- Fixed ``X509Name`` field setters to correctly pass the value length to
OpenSSL. Previously, values containing NUL bytes would be silently truncated,
causing a divergence between the stored ASN.1 value and the value visible from
Python. Credit to **BudongJW** for reporting the issue. **CVE-2026-40475**
+
26.0.0 (2026-03-15)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/PKG-INFO
new/pyopenssl-26.1.0/PKG-INFO
--- old/pyopenssl-26.0.0/PKG-INFO 2026-03-15 15:28:07.175517300 +0100
+++ new/pyopenssl-26.1.0/PKG-INFO 2026-04-24 22:23:19.443975000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: pyOpenSSL
-Version: 26.0.0
+Version: 26.1.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
Author: The pyOpenSSL developers
@@ -27,7 +27,7 @@
Classifier: Topic :: System :: Networking
Requires-Python: >=3.8
License-File: LICENSE
-Requires-Dist: cryptography<47,>=46.0.0
+Requires-Dist: cryptography<48,>=46.0.0
Requires-Dist: typing-extensions>=4.9; python_version < "3.13" and
python_version >= "3.8"
Provides-Extra: test
Requires-Dist: pytest-rerunfailures; extra == "test"
@@ -96,6 +96,21 @@
Release Information
===================
+26.1.0 (2026-04-24)
+-------------------
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Deprecations:
+^^^^^^^^^^^^^
+
+Changes:
+^^^^^^^^
+
+- Maximum supported ``cryptography`` version is now 47.x.
+- Fixed ``X509Name`` field setters to correctly pass the value length to
OpenSSL. Previously, values containing NUL bytes would be silently truncated,
causing a divergence between the stored ASN.1 value and the value visible from
Python. Credit to **BudongJW** for reporting the issue. **CVE-2026-40475**
+
26.0.0 (2026-03-15)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/doc/backward-compatibility.rst
new/pyopenssl-26.1.0/doc/backward-compatibility.rst
--- old/pyopenssl-26.0.0/doc/backward-compatibility.rst 2026-03-15
15:28:02.000000000 +0100
+++ new/pyopenssl-26.1.0/doc/backward-compatibility.rst 2026-04-24
22:23:14.000000000 +0200
@@ -9,3 +9,10 @@
#. …announced in the :doc:`changelog`.
#. …the old behavior raises a :exc:`DeprecationWarning` for a year.
#. …are done with another announcement in the :doc:`changelog`.
+
+Versioning Policy
+=================
+
+pyOpenSSL follows `CalVer <https://calver.org>`_ in `YY.MINOR.MICRO` format.
+Unlike SemVer, major versions represent the year, and are not indicative of
+breaking changes.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/setup.py
new/pyopenssl-26.1.0/setup.py
--- old/pyopenssl-26.0.0/setup.py 2026-03-15 15:28:02.000000000 +0100
+++ new/pyopenssl-26.1.0/setup.py 2026-04-24 22:23:14.000000000 +0200
@@ -93,7 +93,7 @@
packages=find_packages(where="src"),
package_dir={"": "src"},
install_requires=[
- "cryptography>=46.0.0,<47",
+ "cryptography>=46.0.0,<48",
(
"typing-extensions>=4.9; "
"python_version < '3.13' and python_version >= '3.8'"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/src/OpenSSL/crypto.py
new/pyopenssl-26.1.0/src/OpenSSL/crypto.py
--- old/pyopenssl-26.0.0/src/OpenSSL/crypto.py 2026-03-15 15:28:02.000000000
+0100
+++ new/pyopenssl-26.1.0/src/OpenSSL/crypto.py 2026-04-24 22:23:14.000000000
+0200
@@ -651,7 +651,7 @@
value = value.encode("utf-8")
add_result = _lib.X509_NAME_add_entry_by_NID(
- self._name, nid, _lib.MBSTRING_UTF8, value, -1, -1, 0
+ self._name, nid, _lib.MBSTRING_UTF8, value, len(value), -1, 0
)
if not add_result:
_raise_current_error()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/src/OpenSSL/version.py
new/pyopenssl-26.1.0/src/OpenSSL/version.py
--- old/pyopenssl-26.0.0/src/OpenSSL/version.py 2026-03-15 15:28:02.000000000
+0100
+++ new/pyopenssl-26.1.0/src/OpenSSL/version.py 2026-04-24 22:23:14.000000000
+0200
@@ -17,7 +17,7 @@
"__version__",
]
-__version__ = "26.0.0"
+__version__ = "26.1.0"
__title__ = "pyOpenSSL"
__uri__ = "https://pyopenssl.org/";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/src/pyOpenSSL.egg-info/PKG-INFO
new/pyopenssl-26.1.0/src/pyOpenSSL.egg-info/PKG-INFO
--- old/pyopenssl-26.0.0/src/pyOpenSSL.egg-info/PKG-INFO 2026-03-15
15:28:07.000000000 +0100
+++ new/pyopenssl-26.1.0/src/pyOpenSSL.egg-info/PKG-INFO 2026-04-24
22:23:19.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.4
Name: pyOpenSSL
-Version: 26.0.0
+Version: 26.1.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
Author: The pyOpenSSL developers
@@ -27,7 +27,7 @@
Classifier: Topic :: System :: Networking
Requires-Python: >=3.8
License-File: LICENSE
-Requires-Dist: cryptography<47,>=46.0.0
+Requires-Dist: cryptography<48,>=46.0.0
Requires-Dist: typing-extensions>=4.9; python_version < "3.13" and
python_version >= "3.8"
Provides-Extra: test
Requires-Dist: pytest-rerunfailures; extra == "test"
@@ -96,6 +96,21 @@
Release Information
===================
+26.1.0 (2026-04-24)
+-------------------
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Deprecations:
+^^^^^^^^^^^^^
+
+Changes:
+^^^^^^^^
+
+- Maximum supported ``cryptography`` version is now 47.x.
+- Fixed ``X509Name`` field setters to correctly pass the value length to
OpenSSL. Previously, values containing NUL bytes would be silently truncated,
causing a divergence between the stored ASN.1 value and the value visible from
Python. Credit to **BudongJW** for reporting the issue. **CVE-2026-40475**
+
26.0.0 (2026-03-15)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/src/pyOpenSSL.egg-info/requires.txt
new/pyopenssl-26.1.0/src/pyOpenSSL.egg-info/requires.txt
--- old/pyopenssl-26.0.0/src/pyOpenSSL.egg-info/requires.txt 2026-03-15
15:28:07.000000000 +0100
+++ new/pyopenssl-26.1.0/src/pyOpenSSL.egg-info/requires.txt 2026-04-24
22:23:19.000000000 +0200
@@ -1,4 +1,4 @@
-cryptography<47,>=46.0.0
+cryptography<48,>=46.0.0
[:python_version < "3.13" and python_version >= "3.8"]
typing-extensions>=4.9
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/tests/test_crypto.py
new/pyopenssl-26.1.0/tests/test_crypto.py
--- old/pyopenssl-26.0.0/tests/test_crypto.py 2026-03-15 15:28:02.000000000
+0100
+++ new/pyopenssl-26.1.0/tests/test_crypto.py 2026-04-24 22:23:14.000000000
+0200
@@ -1403,6 +1403,14 @@
name.emailAddress = "[email protected]"
assert copy.emailAddress == "[email protected]"
+ def test_null_bytes_preserved(self) -> None:
+ """
+ Null bytes in X509Name field values are round-tripped correctly.
+ """
+ name = x509_name()
+ name.CN = "a\x00b"
+ assert name.CN == "a\x00b"
+
def test_repr(self) -> None:
"""
`repr` passed an `X509Name` instance should return a string containing
@@ -1995,16 +2003,17 @@
current time plus the number of seconds passed in.
"""
cert = load_certificate(FILETYPE_PEM, self.pemData)
- not_before_min = utcnow().replace(microsecond=0) + timedelta(
- seconds=100
- )
+ utc_now = utcnow().replace(microsecond=0)
+ # -1 second tolerance for clock adjustments
+ not_before_min = utc_now + timedelta(seconds=99)
cert.gmtime_adj_notBefore(100)
not_before_str = cert.get_notBefore()
assert not_before_str is not None
not_before = datetime.strptime(
not_before_str.decode(), "%Y%m%d%H%M%SZ"
)
- not_before_max = utcnow() + timedelta(seconds=100)
+ # +1 second tolerance for clock adjustments
+ not_before_max = utc_now + timedelta(seconds=101)
assert not_before_min <= not_before <= not_before_max
def test_gmtime_adj_notAfter_wrong_args(self) -> None:
@@ -2023,14 +2032,15 @@
to be the current time plus the number of seconds passed in.
"""
cert = load_certificate(FILETYPE_PEM, self.pemData)
- not_after_min = utcnow().replace(microsecond=0) + timedelta(
- seconds=100
- )
+ utc_now = utcnow().replace(microsecond=0)
+ # -1 second tolerance for clock adjustments
+ not_after_min = utc_now + timedelta(seconds=99)
cert.gmtime_adj_notAfter(100)
not_after_str = cert.get_notAfter()
assert not_after_str is not None
not_after = datetime.strptime(not_after_str.decode(), "%Y%m%d%H%M%SZ")
- not_after_max = utcnow() + timedelta(seconds=100)
+ # +1 second tolerance for clock adjustments
+ not_after_max = utc_now + timedelta(seconds=101)
assert not_after_min <= not_after <= not_after_max
def test_has_expired(self) -> None:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyopenssl-26.0.0/tests/test_ssl.py
new/pyopenssl-26.1.0/tests/test_ssl.py
--- old/pyopenssl-26.0.0/tests/test_ssl.py 2026-03-15 15:28:02.000000000
+0100
+++ new/pyopenssl-26.1.0/tests/test_ssl.py 2026-04-24 22:23:14.000000000
+0200
@@ -4686,7 +4686,11 @@
Tests for PyOpenSSL's OCSP stapling support.
"""
- sample_ocsp_data = b"this is totally ocsp data"
+ # Minimal valid DER-encoded OCSPResponse with status "unauthorized"
+ # (SEQUENCE { ENUMERATED 6 }). Required by OpenSSL 4.0+, which parses
+ # the bytes via d2i_OCSP_RESPONSE before stapling and silently drops
+ # unparseable input.
+ sample_ocsp_data = b"\x30\x03\x0a\x01\x06"
def _client_connection(
self,
