- Update to 46.0.5 (fixes CVE-2026-26007, bsc#1258074)
* An attacker could create a malicious public key that reveals portions of
your private key when using certain uncommon elliptic curves (binary
curves). This version now includes additional security checks to prevent
this attack. This issue only affects binary elliptic curves, which are
rarely used in real-world applications. Credit to XlabAI Team of Tencent
Xuanwu Lab and Atuin Automated Vulnerability Discovery Engine for reporting
the issue. CVE-2026-26007
* Support for SECT* binary elliptic curves is deprecated and will be removed
in the next release.
- Update to 46.0.4
* Dropped support for win_arm64 wheels.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.5.
- Update to 46.0.3
* Fixed compilation when using LibreSSL 4.2.0.
OBS-URL: https://build.opensuse.org/request/show/1332821
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=260
- update to 46.0.2:
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.5.4.
* Fixed an issue where users installing via pip on Python 3.14
development versions would not properly install a dependency.
* Fixed an issue building the free-threaded macOS 3.14 wheels.
* BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been
removed.
* Support for OpenSSL < 3.0 is deprecated and will be removed
in the next release.
* Support for x86_64 macOS (including publishing wheels) is
deprecated and will be removed in two releases. We will
switch to publishing an arm64 only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is
deprecated and will be removed in two releases. Users should
move to a 64-bit Python installation.
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.5.3.
* We now build ppc64le manylinux wheels and publish them to
PyPI.
* We now build win_arm64 (Windows on Arm) wheels and publish
them to PyPI.
* Added support for free-threaded Python 3.14.
* Removed the deprecated get_attribute_for_oid method on
:class:`~cryptography.x509.CertificateSigningRequest`. Users
should use
:meth:`~cryptography.x509.Attributes.get_attribute_for_oid`
instead.
* Removed the deprecated CAST5, SEED, IDEA, and Blowfish
classes from the cipher module. These are still available in
OBS-URL: https://build.opensuse.org/request/show/1311087
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-cryptography?expand=0&rev=105
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.5.4.
* Fixed an issue where users installing via pip on Python 3.14
development versions would not properly install a dependency.
* Fixed an issue building the free-threaded macOS 3.14 wheels.
* BACKWARDS INCOMPATIBLE: Support for Python 3.7 has been
removed.
* Support for OpenSSL < 3.0 is deprecated and will be removed
in the next release.
* Support for x86_64 macOS (including publishing wheels) is
deprecated and will be removed in two releases. We will
switch to publishing an arm64 only wheel for macOS.
* Support for 32-bit Windows (including publishing wheels) is
deprecated and will be removed in two releases. Users should
move to a 64-bit Python installation.
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.5.3.
* We now build ppc64le manylinux wheels and publish them to
PyPI.
* We now build win_arm64 (Windows on Arm) wheels and publish
them to PyPI.
* Added support for free-threaded Python 3.14.
* Removed the deprecated get_attribute_for_oid method on
:class:`~cryptography.x509.CertificateSigningRequest`. Users
should use
:meth:`~cryptography.x509.Attributes.get_attribute_for_oid`
instead.
* Removed the deprecated CAST5, SEED, IDEA, and Blowfish
classes from the cipher module. These are still available in
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=256
- update to 45.0.5:
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.5.1.
* Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This
is not considered secure, and is supported only for backwards
compatibility.)
* Fixed decrypting PKCS#8 files encrypted with long salts (this
impacts keys encrypted by Bouncy Castle).
* Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5.
While wildly insecure, this remains prevalent.
* Fixed using mypy with cryptography on older versions of
Python.
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.5.0.
* Support for Python 3.7 is deprecated and will be removed in
the next cryptography release.
* Updated the minimum supported Rust version (MSRV) to 1.74.0,
from 1.65.0.
* Added support for serialization of PKCS#12 Java truststores
in :func:`~cryptography.hazmat.primitives.serialization.pkcs1
2.serialize_java_truststore`
* Added :meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon
2id.derive_phc_encoded` and :meth:`~cryptography.hazmat.primi
tives.kdf.argon2.Argon2id.verify_phc_encoded` methods to
support password hashing in the PHC string format
* Added support for PKCS7 decryption and encryption using
AES-256 as the content algorithm, in addition to AES-128.
* BACKWARDS INCOMPATIBLE: Made SSH private key loading more
consistent with other private key loading: :func:`~cryptograp
hy.hazmat.primitives.serialization.load_ssh_private_key` now
OBS-URL: https://build.opensuse.org/request/show/1292428
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-cryptography?expand=0&rev=102
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.5.1.
* Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This
is not considered secure, and is supported only for backwards
compatibility.)
* Fixed decrypting PKCS#8 files encrypted with long salts (this
impacts keys encrypted by Bouncy Castle).
* Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5.
While wildly insecure, this remains prevalent.
* Fixed using mypy with cryptography on older versions of
Python.
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.5.0.
* Support for Python 3.7 is deprecated and will be removed in
the next cryptography release.
* Updated the minimum supported Rust version (MSRV) to 1.74.0,
from 1.65.0.
* Added support for serialization of PKCS#12 Java truststores
in :func:`~cryptography.hazmat.primitives.serialization.pkcs1
2.serialize_java_truststore`
* Added :meth:`~cryptography.hazmat.primitives.kdf.argon2.Argon
2id.derive_phc_encoded` and :meth:`~cryptography.hazmat.primi
tives.kdf.argon2.Argon2id.verify_phc_encoded` methods to
support password hashing in the PHC string format
* Added support for PKCS7 decryption and encryption using
AES-256 as the content algorithm, in addition to AES-128.
* BACKWARDS INCOMPATIBLE: Made SSH private key loading more
consistent with other private key loading: :func:`~cryptograp
hy.hazmat.primitives.serialization.load_ssh_private_key` now
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=249
- Update to version 44.0.0:
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.
* Deprecated Python 3.7 support. Python 3.7 is no longer supported by
the Python core team. Support for Python 3.7 will be removed in a future
cryptography release.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
* macOS wheels are now built against the macOS 10.13 SDK. Users on older
versions of macOS should upgrade, or they will need to build cryptography
themselves.
* Enforce the RFC 5280 requirement that extended key usage extensions must not be empty.
* Added support for timestamp extraction to the :class:`~cryptography.fernet.MultiFernet` class.
* Relax the Authority Key Identifier requirements on root CA certificates
during X.509 verification to allow fields permitted by RFC 5280 but
forbidden by the CA/Browser BRs.
* Added support for
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id` when using
OpenSSL 3.2.0+.
* Added support for the :class:`~cryptography.x509.Admissions` certificate extension.
* Added basic support for PKCS7 decryption (including S/MIME 3.2) via
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`,
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`,
and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`.
- Update specfile to accommodate new project structure at version 44.0.0
- Update no-pytest_benchmark.patch
OBS-URL: https://build.opensuse.org/request/show/1242838
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-cryptography?expand=0&rev=98
- Update to version 44.0.0:
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.9.
* Deprecated Python 3.7 support. Python 3.7 is no longer supported by
the Python core team. Support for Python 3.7 will be removed in a future
cryptography release.
* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.4.0.
* macOS wheels are now built against the macOS 10.13 SDK. Users on older
versions of macOS should upgrade, or they will need to build cryptography
themselves.
* Enforce the RFC 5280 requirement that extended key usage extensions must not be empty.
* Added support for timestamp extraction to the :class:`~cryptography.fernet.MultiFernet` class.
* Relax the Authority Key Identifier requirements on root CA certificates
during X.509 verification to allow fields permitted by RFC 5280 but
forbidden by the CA/Browser BRs.
* Added support for
:class:`~cryptography.hazmat.primitives.kdf.argon2.Argon2id` when using
OpenSSL 3.2.0+.
* Added support for the :class:`~cryptography.x509.Admissions` certificate extension.
* Added basic support for PKCS7 decryption (including S/MIME 3.2) via
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_der`,
:func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_pem`,
and :func:`~cryptography.hazmat.primitives.serialization.pkcs7.pkcs7_decrypt_smime`.
- Update specfile to accommodate new project structure at version 44.0.0
- Update no-pytest_benchmark.patch
OBS-URL: https://build.opensuse.org/request/show/1240357
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=238
- update to 43.0.0:
* BACKWARDS INCOMPATIBLE: Support for OpenSSL less than 1.1.1e
has been removed. Users on older version of OpenSSL will
need to upgrade.
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.8.
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.3.1.
* Updated the minimum supported Rust version (MSRV) to 1.65.0,
from 1.63.0.
* :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generat
e_private_key` now enforces a minimum RSA key size of
1024-bit. Note that 1024-bit is still considered insecure,
users should generally use a key size of 2048-bits.
* :func:`~cryptography.hazmat.primitives.serialization.pkcs7.se
rialize_certificates` now emits ASN.1 that more closely
follows the recommendations in RFC 2315.
* Added new :doc:`/hazmat/decrepit/index` module which contains
outdated and insecure cryptographic primitives. :class:`~cryp
tography.hazmat.primitives.ciphers.algorithms.CAST5`, :class:
`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :c
lass:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA
`, and :class:`~cryptography.hazmat.primitives.ciphers.algori
thms.Blowfish`, which were deprecated in 37.0.0, have been
added to this module. They will be removed from the cipher
module in 45.0.0.
* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorit
hms.TripleDES` and :class:`~cryptography.hazmat.primitives.ci
phers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and
deprecated them in the cipher module. They will be removed
from the cipher module in 48.0.0.
OBS-URL: https://build.opensuse.org/request/show/1189786
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-cryptography?expand=0&rev=91
* BACKWARDS INCOMPATIBLE: Support for OpenSSL less than 1.1.1e
has been removed. Users on older version of OpenSSL will
need to upgrade.
* BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.8.
* Updated Windows, macOS, and Linux wheels to be compiled with
OpenSSL 3.3.1.
* Updated the minimum supported Rust version (MSRV) to 1.65.0,
from 1.63.0.
* :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generat
e_private_key` now enforces a minimum RSA key size of
1024-bit. Note that 1024-bit is still considered insecure,
users should generally use a key size of 2048-bits.
* :func:`~cryptography.hazmat.primitives.serialization.pkcs7.se
rialize_certificates` now emits ASN.1 that more closely
follows the recommendations in RFC 2315.
* Added new :doc:`/hazmat/decrepit/index` module which contains
outdated and insecure cryptographic primitives. :class:`~cryp
tography.hazmat.primitives.ciphers.algorithms.CAST5`, :class:
`~cryptography.hazmat.primitives.ciphers.algorithms.SEED`, :c
lass:`~cryptography.hazmat.primitives.ciphers.algorithms.IDEA
`, and :class:`~cryptography.hazmat.primitives.ciphers.algori
thms.Blowfish`, which were deprecated in 37.0.0, have been
added to this module. They will be removed from the cipher
module in 45.0.0.
* Moved :class:`~cryptography.hazmat.primitives.ciphers.algorit
hms.TripleDES` and :class:`~cryptography.hazmat.primitives.ci
phers.algorithms.ARC4` into :doc:`/hazmat/decrepit/index` and
deprecated them in the cipher module. They will be removed
from the cipher module in 48.0.0.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=220
