git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit

python3-cryptography{-vectors}: upgrade 46.0.7 -> 48.0.0

* Drop 0001-bump-uv_build-to-0.11.0.patch; change is included in upgrade.
* Refresh python3-crytpography-crates.inc

48.0.0 - 2026-05-04 [1]
* BACKWARDS INCOMPATIBLE: Support for Python 3.8 has been removed.
  cryptography now requires Python 3.9 or later.

* BACKWARDS INCOMPATIBLE: Loading an X.509 CRL whose inner
  TBSCertList.signature algorithm does not match the outer
  signatureAlgorithm now raises ValueError. Previously, such CRLs
  were parsed successfully and only rejected during signature validation.

* Added support for ML-KEM key encapsulation and ML-DSA signing when
  using OpenSSL 3.5.0 or later, in addition to the existing AWS-LC and
  BoringSSL support. This means post-quantum algorithms are now available
  to users of our wheels.

  - Note: Going forward, we do not guarantee that all functionality in
    cryptography will be available when building against OpenSSL. See
    The State of OpenSSL for pyca/cryptography for more information.

47.0.0 - 2026-04-24 [2]
* Support for Python 3.8 is deprecated and will be removed in the next
  cryptography release.

* BACKWARDS INCOMPATIBLE: Support for binary elliptic curves
  (SECT* classes) has been removed. These curves are rarely used and
  have additional security considerations that make them undesirable.

* BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.x has been removed.
  OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and
  AWS-LC continue to be supported.

* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 4.1.

* BACKWARDS INCOMPATIBLE: Loading keys with unsupported algorithms or
  keys with unsupported explicit curve encodings now raises
  UnsupportedAlgorithm instead of ValueError. This change affects
  load_pem_private_key(), load_der_private_key(), load_pem_public_key(),
  load_der_public_key(), and public_key() when called on certificates
  with unsupported public key algorithms.

* BACKWARDS INCOMPATIBLE: When parsing elliptic curve private keys, we
  now reject keys that incorrectly encode a private key of the wrong
  length because such keys are impossible to process in a constant-time
  manner. We do not believe keys with this problem are in wide use,
  however we may revert this change based on the feedback we receive.

* Deprecated passing 64-bit (8-byte) and 128-bit (16-byte) keys to
  TripleDES. In a future release, only 192-bit (24-byte) keys will be
  accepted. Users should expand shorter keys themselves (e.g., for
  single DES: key + key + key, for two-key: key + key[:8]).

See [2] for the rest of 47.0.0 changes.

For full comparison of changes, see [3].

[1] https://cryptography.io/en/latest/changelog/#v48-0-0
[2] https://cryptography.io/en/latest/changelog/#v47-0-0
[3] https://github.com/pyca/cryptography/compare/46.0.7...48.0.0

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

author	Tim Orling <tim.orling@konsulko.com>
	Sat, 30 May 2026 22:42:34 +0000 (15:42 -0700)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Mon, 1 Jun 2026 13:07:38 +0000 (14:07 +0100)
commit	0ca8a46fc2f64c36ed91083a58813e64d6d0b07d
tree	9d3d3c9c24e7e99cd9a494b033c00b8af00cd0ba	tree \| snapshot
parent	d69382185789b0217d746e4c11b067047742c6ee	commit \| diff

meta/recipes-devtools/python/python3-cryptography-common.inc		diff \| blob \| blame \| history
meta/recipes-devtools/python/python3-cryptography-crates.inc		diff \| blob \| blame \| history
meta/recipes-devtools/python/python3-cryptography-vectors.bb		diff \| blob \| blame \| history
meta/recipes-devtools/python/python3-cryptography-vectors/0001-bump-uv_build-to-0.11.0.patch	[deleted file]	blob \| blame \| history
meta/recipes-devtools/python/python3-cryptography.bb		diff \| blob \| blame \| history