[Security] Bump cryptography from 2.2.2 to 2.4.1

[dependabot-preview[bot]]

Bumps cryptography from 2.2.2 to 2.4.1. This update includes security fixes.

Vulnerabilities fixed

*Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects cryptography** > A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. > > Affected versions: >= 1.9.0, < 2.3

Changelog

*Sourced from [cryptography's changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst).* > 2.4.1 - 2018-11-11 > ~~~~~~~~~~~~~~~~~~ > > * Fixed a build breakage in our ``manylinux1`` wheels. > > .. _v2-4: > > 2.4 - 2018-11-11 > ~~~~~~~~~~~~~~~~ > > * **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 2.4.x. > * Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported by > the OpenSSL project. At this time there is no time table for dropping > support, however we strongly encourage all users to upgrade or install > ``cryptography`` from a wheel. > * Added initial :doc:`OCSP ` support. > * Added support for :class:`~cryptography.x509.PrecertPoison`. > > .. _v2-3-1: > > 2.3.1 - 2018-08-14 > ~~~~~~~~~~~~~~~~~~ > > * Updated Windows, macOS, and ``manylinux1`` wheels to be compiled with > OpenSSL 1.1.0i. > > .. _v2-3: > > 2.3 - 2018-07-18 > ~~~~~~~~~~~~~~~~ > > * **SECURITY ISSUE:** > :meth:`~cryptography.hazmat.primitives.ciphers.AEADDecryptionContext.finalize_with_tag` > allowed tag truncation by default which can allow tag forgery in some cases. > The method now enforces the ``min_tag_length`` provided to the > :class:`~cryptography.hazmat.primitives.ciphers.modes.GCM` constructor. > *CVE-2018-10903* > * Added support for Python 3.7. > * Added :meth:`~cryptography.fernet.Fernet.extract_timestamp` to get the > authenticated timestamp of a :doc:`Fernet ` token. > * Support for Python 2.7.x without ``hmac.compare_digest`` has been deprecated. > We will require Python 2.7.7 or higher (or 2.7.6 on Ubuntu) in the next > ``cryptography`` release. > * Fixed multiple issues preventing ``cryptography`` from compiling against > LibreSSL 2.7.x. > * Added > :class:`~cryptography.x509.CertificateRevocationList.get_revoked_certificate_by_serial_number` > for quick serial number searches in CRLs. > * The :class:`~cryptography.x509.RelativeDistinguishedName` class now > preserves the order of attributes. Duplicate attributes now raise an error > ... (truncated)

Commits

- [`db08466`](https://github.com/pyca/cryptography/commit/db08466131a2d495e4bf58e34bf8d0090be04a2d) Revert O_CLOEXEC change to fix builds ([#4570](https://github-redirect.dependabot.com/pyca/cryptography/issues/4570)) - [`5e52fdc`](https://github.com/pyca/cryptography/commit/5e52fdc5f8f3b6c970051c1bf3325b2d0ed8a5db) bump versions and update changelog for 2.4 release ([#4568](https://github-redirect.dependabot.com/pyca/cryptography/issues/4568)) - [`7d3daef`](https://github.com/pyca/cryptography/commit/7d3daefc4db664cd7c344a59c0cad99c4bcd82eb) parametrize a bunch of tests ([#4365](https://github-redirect.dependabot.com/pyca/cryptography/issues/4365)) - [`98420ea`](https://github.com/pyca/cryptography/commit/98420eac4525345cd95c2afa71a04089db8ac8e6) another pkcs12 vector ([#4557](https://github-redirect.dependabot.com/pyca/cryptography/issues/4557)) - [`94c13bb`](https://github.com/pyca/cryptography/commit/94c13bb5de37006ee69e7dfa376c1a6beed67efc) additional pkcs12 test vector ([#4554](https://github-redirect.dependabot.com/pyca/cryptography/issues/4554)) - [`ea34c1a`](https://github.com/pyca/cryptography/commit/ea34c1a9821545b99b6864af211dead662e75dfc) add various new TLS bindings ([#4555](https://github-redirect.dependabot.com/pyca/cryptography/issues/4555)) - [`95af1e3`](https://github.com/pyca/cryptography/commit/95af1e391b7155ebffd962b58f0a2b213af33ec3) add EC OIDs ([#4435](https://github-redirect.dependabot.com/pyca/cryptography/issues/4435)) - [`8f24aef`](https://github.com/pyca/cryptography/commit/8f24aefd5d136ab47cb68a9bcfbff3a171602077) move ObjectIdentifier to break an upcoming import cycle ([#4550](https://github-redirect.dependabot.com/pyca/cryptography/issues/4550)) - [`836250e`](https://github.com/pyca/cryptography/commit/836250e06b07cac034138786ed455d997dfe93ae) suppress healthcheck too slow error ([#4548](https://github-redirect.dependabot.com/pyca/cryptography/issues/4548)) - [`f5ab0de`](https://github.com/pyca/cryptography/commit/f5ab0deff99c8c73e3a8ef46a4b6e567844b2555) add pkcs12 test vectors ([#4535](https://github-redirect.dependabot.com/pyca/cryptography/issues/4535)) - Additional commits viewable in [compare view](https://github.com/pyca/cryptography/compare/2.2.2...2.4.1)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.

[dependabot-preview[bot]]

Superseded by #211.