import UBI python3.12-cryptography-41.0.7-2.el9_6.1

SOURCES/CVE-2024-26130.patch

@@ -0,0 +1,60 @@
+From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 19 Feb 2024 11:50:28 -0500
+Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
+ match (#10423)
+
+---
+ .../hazmat/backends/openssl/backend.py         |  9 +++++++++
+ tests/hazmat/primitives/test_pkcs12.py         | 18 ++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 45888f36168a..6a4aeca7521f 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -623,6 +623,15 @@ def serialize_key_and_certificates_to_pkcs12(
+                     mac_iter,
+                     0,
+                 )
++                if p12 == self._ffi.NULL:
++                    errors = self._consume_errors()
++                    raise ValueError(
++                        (
++                            "Failed to create PKCS12 (does the key match the "
++                            "certificate?)"
++                        ),
++                        errors,
++                    )
+ 
+             if (
+                 self._lib.Cryptography_HAS_PKCS12_SET_MAC
+diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
+index f49c98a4ed3d..cb998c4a4bc0 100644
+--- a/tests/hazmat/primitives/test_pkcs12.py
++++ b/tests/hazmat/primitives/test_pkcs12.py
+@@ -660,6 +660,24 @@ def test_key_serialization_encryption_set_mac_unsupported(
+                 b"name", cakey, cacert, [], algorithm
+             )
+ 
++    @pytest.mark.supported(
++        only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
++        skip_message="Requires OpenSSL with PKCS12_set_mac",
++    )
++    def test_set_mac_key_certificate_mismatch(self, backend):
++        cacert, _ = _load_ca(backend)
++        key = ec.generate_private_key(ec.SECP256R1())
++        encryption = (
++            serialization.PrivateFormat.PKCS12.encryption_builder()
++            .hmac_hash(hashes.SHA256())
++            .build(b"password")
++        )
++
++        with pytest.raises(ValueError):
++            serialize_key_and_certificates(
++                b"name", key, cacert, [], encryption
++            )
++
+ 
+ @pytest.mark.skip_fips(
+     reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."

SOURCES/CVE-2025-24898.patch

@@ -0,0 +1,52 @@
+From eda4f38d30c9e8bdfee282d75fc7350d50ba78f3 Mon Sep 17 00:00:00 2001
+From: Charalampos Stratakis <cstratak@redhat.com>
+Date: Thu, 6 Feb 2025 00:16:30 +0100
+Subject: [PATCH 1/2] Use our patched copy of the openssl crate
+
+---
+ src/rust/Cargo.toml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
+index 01fba14..a352548 100644
+--- a/src/rust/Cargo.toml
++++ b/src/rust/Cargo.toml
+@@ -20,6 +20,9 @@ openssl = "0.10.54"
+ openssl-sys = "0.9.88"
+ foreign-types-shared = "0.1"
+ 
++[patch.crates-io]
++openssl = { path= "../../vendor/openssl" }
++
+ [build-dependencies]
+ cc = "1.0.72"
+ 
+-- 
+2.48.1
+
+
+From a99434f68209631e9363ffa4dd32dacbfa376221 Mon Sep 17 00:00:00 2001
+From: Steven Fackler <sfackler@gmail.com>
+Date: Sun, 2 Feb 2025 12:19:46 -0500
+Subject: [PATCH 2/2] Fix lifetimes in ssl::select_next_proto
+
+---
+ vendor/openssl/src/ssl/mod.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/vendor/openssl/src/ssl/mod.rs b/vendor/openssl/src/ssl/mod.rs
+index fb38bb3..6aa6705 100644
+--- a/vendor/openssl/src/ssl/mod.rs
++++ b/vendor/openssl/src/ssl/mod.rs
+@@ -696,7 +696,7 @@ cfg_if! {
+ ///
+ /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos
+ #[corresponds(SSL_select_next_proto)]
+-pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8]> {
++pub fn select_next_proto<'a>(server: &'a [u8], client: &'a [u8]) -> Option<&'a [u8]> {
+     unsafe {
+         let mut out = ptr::null_mut();
+         let mut outlen = 0;
+-- 
+2.48.1
+

SPECS/python3.12-cryptography.spec

@@ -8,7 +8,7 @@
 
 Name:           python%{python3_pkgversion}-%{srcname}
 Version:        41.0.7
-Release:        1%{?dist}
+Release:        2%{?dist}.1
 Summary:        PyCA's cryptography library
 
 # We bundle various crates with cryptography which is dual licensed
@@ -83,6 +83,16 @@ Source2:        conftest-skipper.py
 # https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
 Patch1:         raise-an-exception-for-CVE-2023-49083.patch
 
+# Security fix for CVE-2025-24898 in the bundled openssl crate
+# Resolved upsteam:
+# https://github.com/sfackler/rust-openssl/commit/f014afb230de4d77bc79dea60e7e58c2f47b60f2
+Patch2:         CVE-2025-24898.patch
+
+# Security fix for CVE-2024-26130
+# Resolved upstream:
+# https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
+Patch3:         CVE-2024-26130.patch
+
 ExclusiveArch:  %{rust_arches}
 
 BuildRequires:  openssl-devel
@@ -177,13 +187,16 @@ cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 
 %prep
-%autosetup -p1 -n %{srcname}-%{version}
 %if 0%{?fedora}
+%autosetup -p1 -n %{srcname}-%{version}
 %cargo_prep
 rm src/rust/Cargo.lock
 %else
 # RHEL: use vendored Rust crates
-%cargo_prep -V 1
+# We unpack the vendored crates to
+# be able to patch them
+%autosetup -p1 -n %{srcname}-%{version} -a1
+%cargo_prep -v vendor
 %endif
 
 %if 0%{?fedora}
@@ -199,6 +212,7 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml
 
 %build
 export OPENSSL_NO_VENDOR=1
+export RUSTFLAGS="%build_rustflags"
 %py3_build
 
 %install
@@ -238,6 +252,14 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 
 %changelog
+* Fri Sep 05 2025 Lumir Balhar <lbalhar@redhat.com> - 41.0.7-2.1
+- Security fix for CVE-2024-26130
+Resolves: RHEL-112483
+
+* Wed Feb 05 2025 Charalampos Stratakis <cstratak@redhat.com> - 41.0.7-2
+- Security fix for CVE-2025-24898 in the bundled openssl crate
+Resolves: RHEL-77735
+
 * Tue Feb 06 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.7-1
 - Update to 41.0.7, fixes CVE-2023-49083