SOURCES/CVE-2025-24898.patch

@@ -1,52 +0,0 @@
-From eda4f38d30c9e8bdfee282d75fc7350d50ba78f3 Mon Sep 17 00:00:00 2001
-From: Charalampos Stratakis <cstratak@redhat.com>
-Date: Thu, 6 Feb 2025 00:16:30 +0100
-Subject: [PATCH 1/2] Use our patched copy of the openssl crate
-
----
- src/rust/Cargo.toml | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
-index 01fba14..a352548 100644
---- a/src/rust/Cargo.toml
-+++ b/src/rust/Cargo.toml
-@@ -20,6 +20,9 @@ openssl = "0.10.54"
- openssl-sys = "0.9.88"
- foreign-types-shared = "0.1"
- 
-+[patch.crates-io]
-+openssl = { path= "../../vendor/openssl" }
-+
- [build-dependencies]
- cc = "1.0.72"
- 
--- 
-2.48.1
-
-
-From a99434f68209631e9363ffa4dd32dacbfa376221 Mon Sep 17 00:00:00 2001
-From: Steven Fackler <sfackler@gmail.com>
-Date: Sun, 2 Feb 2025 12:19:46 -0500
-Subject: [PATCH 2/2] Fix lifetimes in ssl::select_next_proto
-
----
- vendor/openssl/src/ssl/mod.rs | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/vendor/openssl/src/ssl/mod.rs b/vendor/openssl/src/ssl/mod.rs
-index fb38bb3..6aa6705 100644
---- a/vendor/openssl/src/ssl/mod.rs
-+++ b/vendor/openssl/src/ssl/mod.rs
-@@ -696,7 +696,7 @@ cfg_if! {
- ///
- /// [`SslContextBuilder::set_alpn_protos`]: struct.SslContextBuilder.html#method.set_alpn_protos
- #[corresponds(SSL_select_next_proto)]
--pub fn select_next_proto<'a>(server: &[u8], client: &'a [u8]) -> Option<&'a [u8]> {
-+pub fn select_next_proto<'a>(server: &'a [u8], client: &'a [u8]) -> Option<&'a [u8]> {
-     unsafe {
-         let mut out = ptr::null_mut();
-         let mut outlen = 0;
--- 
-2.48.1
-

SPECS/python3.12-cryptography.spec

@@ -8,7 +8,7 @@
 
 Name:           python%{python3_pkgversion}-%{srcname}
 Version:        41.0.7
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        PyCA's cryptography library
 
 # We bundle various crates with cryptography which is dual licensed
@@ -83,10 +83,6 @@ Source2:        conftest-skipper.py
 # https://github.com/pyca/cryptography/commit/3165db8efc82d8e379c4931453f6c776ab8db013
 Patch1:         raise-an-exception-for-CVE-2023-49083.patch
 
-# Security fix for CVE-2025-24898 in the bundled openssl crate
-# Resolved upsteam:
-# https://github.com/sfackler/rust-openssl/commit/f014afb230de4d77bc79dea60e7e58c2f47b60f2
-Patch2:         CVE-2025-24898.patch
 ExclusiveArch:  %{rust_arches}
 
 BuildRequires:  openssl-devel
@@ -181,16 +177,13 @@ cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 
 %prep
-%if 0%{?fedora}
 %autosetup -p1 -n %{srcname}-%{version}
+%if 0%{?fedora}
 %cargo_prep
 rm src/rust/Cargo.lock
 %else
 # RHEL: use vendored Rust crates
-# We unpack the vendored crates to
+%cargo_prep -V 1
-# be able to patch them
-%autosetup -p1 -n %{srcname}-%{version} -a1
-%cargo_prep -v vendor
 %endif
 
 %if 0%{?fedora}
@@ -206,7 +199,6 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml
 
 %build
 export OPENSSL_NO_VENDOR=1
-export RUSTFLAGS="%build_rustflags"
 %py3_build
 
 %install
@@ -246,10 +238,6 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 
 %changelog
-* Wed Feb 05 2025 Charalampos Stratakis <cstratak@redhat.com> - 41.0.7-2
-- Security fix for CVE-2025-24898 in the bundled openssl crate
-Resolves: RHEL-77735
-
 * Tue Feb 06 2024 Miro Hrončok <mhroncok@redhat.com> - 41.0.7-1
 - Update to 41.0.7, fixes CVE-2023-49083