Fixing the following:
```
error: linking with `/nix/store/l3ca456ppdy8hi9hc0rvyr6mrm76si08-clang-wrapper-11.1.0/bin/cc` failed: exit code: 1
= note: ld: library not found for -liconv
```
Backwards incompatible changes: Support for Python 2 has been removed.
Note: This isn't a problem for Nixpkgs because
pythonPackages.cryptography is frozen at version 3.3.2.
Other important packaging changes: "Cryptography now incorporates Rust
code. Users building cryptography themselves will need to have the Rust
toolchain installed. Users who use an officially produced wheel will not
need to make any changes. The minimum supported Rust version is 1.45.0."
SECURITY ISSUE: Fixed a bug where certain sequences of update() calls
when symmetrically encrypting very large payloads (>2GB) could result in
an integer overflow, leading to buffer overflows. CVE-2020-36242
Note: This also updates {,vectors-}3.3.nix (for Python 2 / nixops)
because of the security issue.
Backward incompatible changes:
- Support for Python 3.5 has been removed due to low usage and
maintenance burden.
- The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte)
initialization vectors. This change is to conform with an upcoming
OpenSSL release that will no longer support sizes outside this window.
- When deserializing asymmetric keys we now raise ValueError rather than
UnsupportedAlgorithm when an unsupported cipher is used. This change
is to conform with an upcoming OpenSSL release that will no longer
distinguish between error types.
- We no longer allow loading of finite field Diffie-Hellman parameters
of less than 512 bits in length. This change is to conform with an
upcoming OpenSSL release that no longer supports smaller sizes. These
keys were already wildly insecure and should not have been used in any
application outside of testing.
SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more
constant time, to protect against Bleichenbacher vulnerabilities. Due to
limitations imposed by our API, we cannot completely mitigate this
vulnerability and a future release will contain a new API which is
designed to be resilient to these for contexts where it is required.
Credit to Hubert Kario for reporting the issue. CVE-2020-25659
Backwards incompatible changes:
- Removed support for idna based U-label parsing in various X.509
classes. This support was originally deprecated in version 2.1 and
moved to an extra in 2.5.
Backwards incompatible changes:
- Removed support for passing an Extension instance to
from_issuer_subject_key_identifier(), as per our deprecation policy.
- Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has been removed (2.9.1+
is still supported).
- Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or
newer.
- RSA generate_private_key() no longer accepts public_exponent values
except 65537 and 3 (the latter for legacy purposes).
- X.509 certificate parsing now enforces that the version field contains
a valid value, rather than deferring this check until version is
accessed.
Deprecations:
- Deprecated support for Python 2. At the time there is no time table
for actually dropping support, however we strongly encourage all users
to upgrade their Python, as Python 2 no longer receives support from
the Python core team.
Backwards incompatible changes:
- Support for Python 3.4 has been removed due to low usage and
maintenance burden.
- Support for OpenSSL 1.0.1 has been removed. Users on older version of
OpenSSL will need to upgrade.
- Support for LibreSSL 2.6.x has been removed.
- Reversed the order in which rfc4514_string() returns the RDNs as
required by RFC 4514.
Note: The first three changes should have no impact on Nixpkgs as we
already removed Python 3.4 and OpenSSL 1.0.1. Additionally we don't
support LibreSSL for this package.
