Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
build(deps): bump cryptography from 38.0.3 to 39.0.1 in /.kokoro (#2267)
Bumps [cryptography](https://togithub.com/pyca/cryptography) from 38.0.3 to 39.0.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://togithub.com/pyca/cryptography/blob/main/CHANGELOG.rst">cryptography's changelog</a>.</em></p> <blockquote> <p>39.0.1 - 2023-02-07</p> <pre><code> * **SECURITY ISSUE** - Fixed a bug where ``Cipher.update_into`` accepted Python buffer protocol objects, but allowed immutable buffers. **CVE-2023-23931** * Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.8. <p>.. _v39-0-0:</p> <p>39.0.0 - 2023-01-01 </code></pre></p> <ul> <li><strong>BACKWARDS INCOMPATIBLE:</strong> Support for OpenSSL 1.1.0 has been removed. Users on older version of OpenSSL will need to upgrade.</li> <li><strong>BACKWARDS INCOMPATIBLE:</strong> Dropped support for LibreSSL < 3.5. The new minimum LibreSSL version is 3.5.0. Going forward our policy is to support versions of LibreSSL that are available in versions of OpenBSD that are still receiving security support.</li> <li><strong>BACKWARDS INCOMPATIBLE:</strong> Removed the <code>encode_point</code> and <code>from_encoded_point</code> methods on :class:<code>~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers</code>, which had been deprecated for several years. :meth:<code>~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes</code> and :meth:<code>~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point</code> should be used instead.</li> <li><strong>BACKWARDS INCOMPATIBLE:</strong> Support for using MD5 or SHA1 in :class:<code>~cryptography.x509.CertificateBuilder</code>, other X.509 builders, and PKCS7 has been removed.</li> <li><strong>BACKWARDS INCOMPATIBLE:</strong> Dropped support for macOS 10.10 and 10.11, macOS users must upgrade to 10.12 or newer.</li> <li><strong>ANNOUNCEMENT:</strong> The next version of <code>cryptography</code> (40.0) will change the way we link OpenSSL. This will only impact users who build <code>cryptography</code> from source (i.e., not from a <code>wheel</code>), and specify their own version of OpenSSL. For those users, the <code>CFLAGS</code>, <code>LDFLAGS</code>, <code>INCLUDE</code>, <code>LIB</code>, and <code>CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS</code> environment variables will no longer be respected. Instead, users will need to configure their builds <code>as documented here</code>_.</li> <li>Added support for :ref:<code>disabling the legacy provider in OpenSSL 3.0.x<legacy-provider></code>.</li> <li>Added support for disabling RSA key validation checks when loading RSA keys via :func:<code>~cryptography.hazmat.primitives.serialization.load_pem_private_key</code>, :func:<code>~cryptography.hazmat.primitives.serialization.load_der_private_key</code>, and :meth:<code>~cryptography.hazmat.primitives.asymmetric.rsa.RSAPrivateNumbers.private_key</code>. This speeds up key loading but is :term:<code>unsafe</code> if you are loading potentially attacker supplied keys.</li> <li>Significantly improved performance for :class:<code>~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://togithub.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e"><code>d6951dc</code></a> changelog + security fix backport (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/8231">#8231</a>)</li> <li><a href="https://togithub.com/pyca/cryptography/commit/138da90c8450446b19619e3faa77b9da54c34be3"><code>138da90</code></a> workaround scapy bug in downstream tests (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/8218">#8218</a>) (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/8228">#8228</a>)</li> <li><a href="https://togithub.com/pyca/cryptography/commit/69527bc79095c9646d7e839121f0783477892ecc"><code>69527bc</code></a> bookworm is py311 now (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/8200">#8200</a>)</li> <li><a href="https://togithub.com/pyca/cryptography/commit/111deefb659b8d73c56d3ce89458f2df973d60e4"><code>111deef</code></a> backport main branch CI to 39.0.x (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/8153">#8153</a>)</li> <li><a href="https://togithub.com/pyca/cryptography/commit/338a65a7df74e189f6b5d1d3a6315ffa911b21c2"><code>338a65a</code></a> 39.0.0 version bump (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/7954">#7954</a>)</li> <li><a href="https://togithub.com/pyca/cryptography/commit/84a3cd7abb16f594d8c315e8aedb4be02583bf6a"><code>84a3cd7</code></a> automatically download and upload circleci wheels (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/7949">#7949</a>)</li> <li><a href="https://togithub.com/pyca/cryptography/commit/525c0b3d5d89eab7f953be5de5d2b75da1c816f8"><code>525c0b3</code></a> Type annotate release.py (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/7951">#7951</a>)</li> <li><a href="https://togithub.com/pyca/cryptography/commit/46d2a94d1b574abf5b9e88f84fa7400a138c4edb"><code>46d2a94</code></a> Use the latest 3.10 release when wheel building (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/7953">#7953</a>)</li> <li><a href="https://togithub.com/pyca/cryptography/commit/f150dc15582c05b1b94cf08ed3b1fbc9c4f52267"><code>f150dc1</code></a> fix CI to work with ubuntu 22.04 (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/7950">#7950</a>)</li> <li><a href="https://togithub.com/pyca/cryptography/commit/8867724b2b6db528d2900414ef86c122a1f5602a"><code>8867724</code></a> fix README for python3 (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/7947">#7947</a>)</li> <li>Additional commits viewable in <a href="https://togithub.com/pyca/cryptography/compare/38.0.3...39.0.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://togithub.com/googleapis/java-spanner/network/alerts). </details>
- Loading branch information
1 parent
f0ca86a
commit 46c0a2f