From paul.l.kehrer at gmail.com Sun Jan 1 23:19:45 2023 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Mon, 2 Jan 2023 11:19:45 +0700 Subject: [Cryptography-dev] PyCA cryptography 39.0.0 released Message-ID: PyCA cryptography 39.0.0 has been released to PyPI. cryptography includes both high level recipes and low level interfaces to common cryptographic algorithms such as symmetric ciphers, asymmetric algorithms, message digests, X509, key derivation functions, and much more. We support Python 3.6+, and PyPy3. Changelog (https://cryptography.io/en/latest/changelog/#v39-0-0): * BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.1.0 has been removed. Users on older versions of OpenSSL will need to upgrade. Note that this does not affect users of our wheels. * BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL < 3.5. The new minimum LibreSSL version is 3.5.0. Going forward our policy is to support versions of LibreSSL that are available in versions of OpenBSD that are still receiving security support. * BACKWARDS INCOMPATIBLE: Removed the encode_point and from_encoded_point methods onEllipticCurvePublicNumbers, which had been deprecated for several years. public_bytes() andfrom_encoded_point() should be used instead. * BACKWARDS INCOMPATIBLE: Support for using MD5 or SHA1 in CertificateBuilder, other X.509 builders, and PKCS7 has been removed. * BACKWARDS INCOMPATIBLE: Dropped support for macOS 10.10 and 10.11, macOS users must upgrade to 10.12 or newer. * ANNOUNCEMENT: The next version of cryptography (40.0) will change the way we link OpenSSL. This will only impact users who build cryptography from source (i.e., not from a wheel), and specify their own version of OpenSSL. For those users, the CFLAGS, LDFLAGS, INCLUDE, LIB, and CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS environment variables will no longer be respected. Instead, users will need to configure their builds as documented here. * Added support for disabling the legacy provider in OpenSSL 3.0.x. * Added support for disabling RSA key validation checks when loading RSA keys via load_pem_private_key(), load_der_private_key(), and private_key(). This speeds up key loading but is unsafe if you are loading potentially attacker supplied keys. * Significantly improved performance for ChaCha20Poly1305 when repeatedly calling encrypt or decrypt with the same key. * Added support for creating OCSP requests with precomputed hashes using add_certificate_by_hash(). * Added support for loading multiple PEM-encoded X.509 certificates from a single input via load_pem_x509_certificates(). -Paul Kehrer (reaperhulk) From Kurt.Bird at gd-ms.ca Fri Jan 6 12:16:16 2023 From: Kurt.Bird at gd-ms.ca (Bird, Kurt) Date: Fri, 6 Jan 2023 17:16:16 +0000 Subject: [Cryptography-dev] Declaration of Vulnerabilities - PyNaCl Message-ID: <1d46da1f09a4404796f5d99764a4e58f@gd-ms.ca> Dear PyNaCl Developers, GDMS-C is preparing a response to a Government of Canada solicitation and is considering identifying the following products in the work environment for the proposed solution; - PyNaCl v1.* As a requirement of the solicitation, GDMS-C is required to submit a list of the five (5) latest vulnerabilities for the products listed above. Please consider this request and complete the attached form for the products listed. The proposal response is due shortly and as such GDMS-C would appreciate your response by no later than Close of Business (COB) on January 13, 2023. Thank you in advance for your assistance, please advise if you require any further assistance or do not foresee meeting the requested due date. Best regards, Kurt Bird Scrum Master, LCSS DevOps General Dynamics Mission Systems-Canada (403)-730-1206 "This message and/or attachments may include information subject to GD Corporate Policies and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message." -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Vendor Declaration of Vulnerabilities.xlsx Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet Size: 10694 bytes Desc: Vendor Declaration of Vulnerabilities.xlsx URL: From alex.gaynor at gmail.com Fri Jan 6 13:34:12 2023 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Fri, 6 Jan 2023 13:34:12 -0500 Subject: [Cryptography-dev] Declaration of Vulnerabilities - PyNaCl In-Reply-To: <1d46da1f09a4404796f5d99764a4e58f@gd-ms.ca> References: <1d46da1f09a4404796f5d99764a4e58f@gd-ms.ca> Message-ID: I think you are confused about how this works. We are not your vendor, it's not our responsibility to help you do your RFP. If you want to sell something to the Canadian Government, you have to do the legwork. We're an open source project. We provide source code under an OSS license, we accept public contributions, and we publish our security releases in the usual places (CVE DB, GHSA, oss-security list). We don't fill out vendor forms. Alex On Fri, Jan 6, 2023 at 1:32 PM Bird, Kurt wrote: > > Dear PyNaCl Developers, > > > > GDMS-C is preparing a response to a Government of Canada solicitation and is considering identifying the following products in the work environment for the proposed solution; > > > > - PyNaCl v1.* > > > > As a requirement of the solicitation, GDMS-C is required to submit a list of the five (5) latest vulnerabilities for the products listed above. Please consider this request and complete the attached form for the products listed. > > > > The proposal response is due shortly and as such GDMS-C would appreciate your response by no later than Close of Business (COB) on January 13, 2023. > > > > Thank you in advance for your assistance, please advise if you require any further assistance or do not foresee meeting the requested due date. > > > > Best regards, > > > > Kurt Bird > Scrum Master, LCSS DevOps > General Dynamics Mission Systems-Canada > > (403)-730-1206 > > > > ?This message and/or attachments may include information subject to GD Corporate Policies and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message.? > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -- All that is necessary for evil to succeed is for good people to do nothing. From Kurt.Bird at gd-ms.ca Fri Jan 6 17:02:19 2023 From: Kurt.Bird at gd-ms.ca (Bird, Kurt) Date: Fri, 6 Jan 2023 22:02:19 +0000 Subject: [Cryptography-dev] Declaration of Vulnerabilities - pyOpenSSL Message-ID: <2bb1138d03a5454e93f42d3b6fd2f72f@gd-ms.ca> Dear PyOpenSSL Maintainers, GDMS-C is preparing a response to a Government of Canada solicitation and is considering identifying the following products in the work environment for the proposed solution; - pyOpenSSL v20.* (https://pypi.org/project/pyOpenSSL/20.0.1/) As a requirement of the solicitation, GDMS-C is required to submit a list of the five (5) latest vulnerabilities for the products listed above. Please consider this request and complete the attached form for the products listed. The proposal response is due shortly and as such GDMS-C would appreciate your response by no later than Close of Business (COB) on January 13, 2023. Thank you in advance for your assistance, please advise if you require any further assistance or do not foresee meeting the requested due date. Best regards, Kurt Bird Scrum Master, LCSS DevOps General Dynamics Mission Systems-Canada (403)-730-1206 "This message and/or attachments may include information subject to GD Corporate Policies and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message." -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Vendor Declaration of Vulnerabilities.xlsx Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet Size: 10694 bytes Desc: Vendor Declaration of Vulnerabilities.xlsx URL: From alex.gaynor at gmail.com Fri Jan 6 17:08:04 2023 From: alex.gaynor at gmail.com (Alex Gaynor) Date: Fri, 6 Jan 2023 17:08:04 -0500 Subject: [Cryptography-dev] Declaration of Vulnerabilities - pyOpenSSL In-Reply-To: <2bb1138d03a5454e93f42d3b6fd2f72f@gd-ms.ca> References: <2bb1138d03a5454e93f42d3b6fd2f72f@gd-ms.ca> Message-ID: a) Everything I said about your identical email regarding pynacl is applicable here b) Please don't ship new things in 2023 that use pyOpenSSL 20, which is from 2020. Alex On Fri, Jan 6, 2023 at 5:07 PM Bird, Kurt wrote: > > Dear PyOpenSSL Maintainers, > > > > GDMS-C is preparing a response to a Government of Canada solicitation and is considering identifying the following products in the work environment for the proposed solution; > > > > - pyOpenSSL v20.* (https://pypi.org/project/pyOpenSSL/20.0.1/) > > > > As a requirement of the solicitation, GDMS-C is required to submit a list of the five (5) latest vulnerabilities for the products listed above. Please consider this request and complete the attached form for the products listed. > > > > The proposal response is due shortly and as such GDMS-C would appreciate your response by no later than Close of Business (COB) on January 13, 2023. > > > > Thank you in advance for your assistance, please advise if you require any further assistance or do not foresee meeting the requested due date. > > > > Best regards, > > > > Kurt Bird > Scrum Master, LCSS DevOps > General Dynamics Mission Systems-Canada > > (403)-730-1206 > > > > ?This message and/or attachments may include information subject to GD Corporate Policies and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message.? > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev -- All that is necessary for evil to succeed is for good people to do nothing. From paul.l.kehrer at gmail.com Fri Jan 6 17:10:24 2023 From: paul.l.kehrer at gmail.com (Paul Kehrer) Date: Sat, 7 Jan 2023 06:10:24 +0800 Subject: [Cryptography-dev] Declaration of Vulnerabilities - pyOpenSSL In-Reply-To: <2bb1138d03a5454e93f42d3b6fd2f72f@gd-ms.ca> References: <2bb1138d03a5454e93f42d3b6fd2f72f@gd-ms.ca> Message-ID: This is very clearly a form email since you sent the exact same thing about pyNaCl just a few hours ago. For variety I will reply this time! We will not be filling out a form, no major open source project will do this, and this type of spam is extremely unwelcome. Please be better at your job. -Paul On Sat, Jan 7, 2023 at 6:07 AM Bird, Kurt wrote: > > Dear PyOpenSSL Maintainers, > > > > GDMS-C is preparing a response to a Government of Canada solicitation and is considering identifying the following products in the work environment for the proposed solution; > > > > - pyOpenSSL v20.* (https://pypi.org/project/pyOpenSSL/20.0.1/) > > > > As a requirement of the solicitation, GDMS-C is required to submit a list of the five (5) latest vulnerabilities for the products listed above. Please consider this request and complete the attached form for the products listed. > > > > The proposal response is due shortly and as such GDMS-C would appreciate your response by no later than Close of Business (COB) on January 13, 2023. > > > > Thank you in advance for your assistance, please advise if you require any further assistance or do not foresee meeting the requested due date. > > > > Best regards, > > > > Kurt Bird > Scrum Master, LCSS DevOps > General Dynamics Mission Systems-Canada > > (403)-730-1206 > > > > ?This message and/or attachments may include information subject to GD Corporate Policies and is intended to be accessed only by authorized recipients. Use, storage and transmission are governed by General Dynamics and its policies. Contractual restrictions apply to third parties. Recipients should refer to the policies or contract to determine proper handling. Unauthorized review, use, disclosure or distribution is prohibited. If you are not an intended recipient, please contact the sender and destroy all copies of the original message.? > _______________________________________________ > Cryptography-dev mailing list > Cryptography-dev at python.org > https://mail.python.org/mailman/listinfo/cryptography-dev