From c9d1fdd4e028059bc150ebcf000316320b07cf91 Mon Sep 17 00:00:00 2001 From: Azure Linux Security Servicing Account Date: Fri, 13 Feb 2026 18:08:19 +0000 Subject: [PATCH] Patch python-cryptography for CVE-2026-26007 --- .../python-cryptography/CVE-2026-26007.patch | 59 +++++++++++++++++++ .../python-cryptography.spec | 6 +- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 SPECS/python-cryptography/CVE-2026-26007.patch diff --git a/SPECS/python-cryptography/CVE-2026-26007.patch b/SPECS/python-cryptography/CVE-2026-26007.patch new file mode 100644 index 00000000000..1ff55c6a4cc --- /dev/null +++ b/SPECS/python-cryptography/CVE-2026-26007.patch @@ -0,0 +1,59 @@ +From e51a8e865abc4c41995510a7bd5ed4ba91acf0df Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Fri, 13 Feb 2026 17:58:19 +0000 +Subject: [PATCH] Backport: Deprecate SECT* curves and update changelog; add + DeprecatedIn46 warning class + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c.patch +--- + .../hazmat/primitives/asymmetric/ec.py | 22 +++++++++++++++++++ + src/cryptography/utils.py | 2 ++ + 2 files changed, 24 insertions(+) + +diff --git a/src/cryptography/hazmat/primitives/asymmetric/ec.py b/src/cryptography/hazmat/primitives/asymmetric/ec.py +index c7e694f..7cf59a5 100644 +--- a/src/cryptography/hazmat/primitives/asymmetric/ec.py ++++ b/src/cryptography/hazmat/primitives/asymmetric/ec.py +@@ -500,3 +500,25 @@ def get_curve_for_oid(oid): + "The provided object identifier has no matching elliptic " + "curve class" + ) ++ ++ ++_SECT_CURVES = ( ++ SECT163K1, ++ SECT163R2, ++ SECT233K1, ++ SECT233R1, ++ SECT283K1, ++ SECT283R1, ++ SECT409K1, ++ SECT409R1, ++ SECT571K1, ++ SECT571R1, ++) ++ ++for _curve_cls in _SECT_CURVES: ++ utils.deprecated( ++ _curve_cls, ++ __name__, ++ "{} will be removed in the next release.".format(_curve_cls.__name__), ++ utils.DeprecatedIn46, ++ ) +diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py +index bdb3dbf..6c32482 100644 +--- a/src/cryptography/utils.py ++++ b/src/cryptography/utils.py +@@ -23,6 +23,8 @@ class CryptographyDeprecationWarning(UserWarning): + PersistentlyDeprecated2017 = CryptographyDeprecationWarning + PersistentlyDeprecated2019 = CryptographyDeprecationWarning + ++DeprecatedIn46 = CryptographyDeprecationWarning ++ + + def _check_bytes(name, value): + if not isinstance(value, bytes): +-- +2.45.4 + diff --git a/SPECS/python-cryptography/python-cryptography.spec b/SPECS/python-cryptography/python-cryptography.spec index 770bd6a6f43..4e4de282425 100644 --- a/SPECS/python-cryptography/python-cryptography.spec +++ b/SPECS/python-cryptography/python-cryptography.spec @@ -1,7 +1,7 @@ Summary: Python cryptography library Name: python-cryptography Version: 3.3.2 -Release: 7%{?dist} +Release: 8%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -10,6 +10,7 @@ URL: https://pypi.python.org/pypi/cryptography Source0: https://pypi.io/packages/source/c/cryptography/cryptography-%{version}.tar.gz Patch0: CVE-2023-23931.patch Patch1: CVE-2023-49083.patch +Patch2: CVE-2026-26007.patch %if %{with_check} BuildRequires: python3-pip %endif @@ -67,6 +68,9 @@ pip3 install pretend pytest hypothesis iso8601 cryptography_vectors pytz %{python3_sitelib}/* %changelog +* Fri Feb 13 2026 Azure Linux Security Servicing Account - 3.3.2-8 +- Patch for CVE-2026-26007 + * Fri Jun 07 2024 Juan Camposeco - 3.3.2-7 - Adding dependency on release version for OpenSSL to fix CVE-2023-50782