1398666 – Rebase python-cryptography to 1.7 in RHEL 7.4

Bug 1398666 - Rebase python-cryptography to 1.7 in RHEL 7.4

Summary: Rebase python-cryptography to 1.7 in RHEL 7.4

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	python-cryptography
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Nathaniel McCallum
QA Contact:	Abhijeet Kasurde
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1399979
TreeView+	depends on / blocked

Reported:	2016-11-25 14:07 UTC by Christian Heimes
Modified:	2017-08-01 21:25 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 21:25:57 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:2122	0	normal	SHIPPED_LIVE	python-cryptography bug fix update	2017-08-01 18:38:06 UTC

Description Christian Heimes 2016-11-25 14:07:36 UTC

Rebase python-cryptography from 1.3.1 (RHEL 7.3) to 1.7. Version 1.7 hasn't been released yet. It's scheduled to be released in about two weeks (early December). The new version will contain two important fixes and a new feature for FreeIPA 4.5.

1.7 improvements:
* new osrandom engine in C (fix for SELinux execmem denials, fix for deadlock and segfaults in mod_wsgi subinterpreters) https://github.com/pyca/cryptography/pull/3229

1.6 improvements:
* new locking code in C (fixes same class of issues as osrandom engine) https://github.com/pyca/cryptography/pull/3226
* support for multi-valued RDNs https://github.com/pyca/cryptography/issues/3199

Comment 1 Martin Kosek 2016-11-25 15:08:57 UTC

Tests are expected to be primarily SanityOnly, by testing IdM use cases only.

Comment 2 Christian Heimes 2016-12-14 10:31:23 UTC

cryptography 1.7.1 was released a couple of hours ago, https://github.com/pyca/cryptography/releases/tag/1.7.1

1.7.1 has caused a regression in PyOpenSSL, https://github.com/pyca/cryptography/pull/3321 . I'm expecting to see a 1.7.2 release in a matter of days.

Comment 3 Christian Heimes 2016-12-14 13:49:34 UTC

https://github.com/pyca/cryptography/pull/3321 affects only 1.8-dev. 1.7.1 is good to go.

Comment 9 Christian Heimes 2017-02-13 14:20:01 UTC

We might want to wait for release 1.8 to get the fix for https://github.com/pyca/cryptography/pull/3382 . The PR replaces the last use of cffi callbacks in cryptography and fixes an issue with password protected private keys.

Comment 17 Abhijeet Kasurde 2017-05-25 10:08:01 UTC

Verified using IPA version :: ipa-server-4.5.0-13.el7.x86_64


Quickinstall and other sanity testcases verifies the status of correct version of Python2-cryptography

# rpm -qa ipa-server python2-cryptography
ipa-server-4.5.0-13.el7.x86_64
python2-cryptography-1.7.2-1.el7.x86_64

Marking BZ as verified.

Comment 18 errata-xmlrpc 2017-08-01 21:25:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2122

Note You need to log in before you can comment on or make changes to this bug.