Bump cryptography from 3.3.1 to 3.4.3

[dependabot]

Bumps cryptography from 3.3.1 to 3.4.3.

Changelog

Sourced from cryptography's changelog.

3.4.3 - 2021-02-08

* Specify our supported Rust version (>=1.45.0) in our ``setup.py`` so users
  on older versions will get a clear error message.
.. _v3-4-2:
3.4.2 - 2021-02-08

• Improvements to make the rust transition a bit easier. This includes some better error messages and small dependency fixes. If you experience installation problems Be sure to update pip first, then check the :doc:FAQ </faq>.

.. _v3-4-1:

3.4.1 - 2021-02-07

* Fixed a circular import issue.
* Added additional debug output to assist users seeing installation errors
  due to outdated ``pip`` or missing ``rustc``.
.. _v3-4:
3.4 - 2021-02-07

* **BACKWARDS INCOMPATIBLE:** Support for Python 2 has been removed.
* We now ship ``manylinux2014`` wheels and no longer ship ``manylinux1``
  wheels. Users should upgrade to the latest ``pip`` to ensure this doesn't
  cause issues downloading wheels on their platform.
* ``cryptography`` now incorporates Rust code. Users building ``cryptography``
  themselves will need to have the Rust toolchain installed. Users who use an
  officially produced wheel will not need to make any changes. The minimum
  supported Rust version is 1.45.0.
* ``cryptography`` now has :pep:`484` type hints on nearly all of of its public
  APIs. Users can begin using them to type check their code with ``mypy``.
.. _v3-3-2:
3.3.2 - 2021-02-07

</code></pre>

<ul>

<li><strong>SECURITY ISSUE:</strong> Fixed a bug where certain sequences of <code>update()</code> calls

when symmetrically encrypting very large payloads (&gt;2GB) could result in an

integer overflow, leading to buffer overflows. <em>CVE-2020-36242</em></li>

</ul>

<!-- raw HTML omitted -->

</blockquote>

<p>... (truncated)</p>

</details>

<details>

<summary>Commits</summary>
<ul>

<li><a href="https://github.com/pyca/cryptography/commit/86c9e4a763579d6b2369db83064c0c4b8e9c1c77&quot;&gt;&lt;code&gt;86c9e4a&lt;/code&gt;&lt;/a> version bump, changelog already done (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5791&quot;&gt;#5791&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyca/cryptography/commit/0f40cb3acb66014d2872010ae3ba00dd16157d01&quot;&gt;&lt;code&gt;0f40cb3&lt;/code&gt;&lt;/a> [3.4] Specify an MSRV in setup.py (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5789&quot;&gt;#5789&lt;/a>) (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5790&quot;&gt;#5790&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyca/cryptography/commit/74a3df42c43d341014a4a6f111804f304a446902&quot;&gt;&lt;code&gt;74a3df4&lt;/code&gt;&lt;/a> 3.4.2 changelog and version bump (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5784&quot;&gt;#5784&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyca/cryptography/commit/4a66e2bdde25535d236338d8af84595c78562673&quot;&gt;&lt;code&gt;4a66e2b&lt;/code&gt;&lt;/a> [3.4] More aggressively point people at Rust version docs (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5782&quot;&gt;#5782&lt;/a>) (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5783&quot;&gt;#5783&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyca/cryptography/commit/843ada65e816a17e1b3d90b12ab6403c8ff96654&quot;&gt;&lt;code&gt;843ada6&lt;/code&gt;&lt;/a> Remove setuptools_rust from install requirement (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5779&quot;&gt;#5779&lt;/a>) (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5781&quot;&gt;#5781&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyca/cryptography/commit/e5b5c3d4486a4a9b5c457ef7ba147ca893a5a57c&quot;&gt;&lt;code&gt;e5b5c3d&lt;/code&gt;&lt;/a> Interface: Make annotation check optional (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5775&quot;&gt;#5775&lt;/a>) (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5780&quot;&gt;#5780&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyca/cryptography/commit/ebde3be7ef92658bfbc322476a6f2604f41639fb&quot;&gt;&lt;code&gt;ebde3be&lt;/code&gt;&lt;/a> 3.4.1 fixes and changelog bump (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5761&quot;&gt;#5761&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyca/cryptography/commit/2c11ad53c07179e03ea2f60813cb52d83f766292&quot;&gt;&lt;code&gt;2c11ad5&lt;/code&gt;&lt;/a> 3.4 release (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5749&quot;&gt;#5749&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyca/cryptography/commit/06cbf77371881e80ea4b5e349136dcc53749fc0c&quot;&gt;&lt;code&gt;06cbf77&lt;/code&gt;&lt;/a> port changelog and fix back to master for CVE-2020-36242 (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5748&quot;&gt;#5748&lt;/a&gt;)&lt;/li>

<li><a href="https://github.com/pyca/cryptography/commit/9d1669534f95d276412fe224f5a9c413a814f759&quot;&gt;&lt;code&gt;9d16695&lt;/code&gt;&lt;/a> Linker script is no longer required for building your own OpenSSL (<a href="https://github-redirect.dependabot.com/pyca/cryptography/issues/5746&quot;&gt;#5746&lt;/a&gt;)&lt;/li>

<li>Additional commits viewable in <a href="https://github.com/pyca/cryptography/compare/3.3.1...3.4.3&quot;&gt;compare view</a></li>

</ul>

</details>
<br />



Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options


You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

[jku]

As lukas said in the previous one Looks like we have to pin cryptography<3.4 for python 2.7.

So... in practice should we modify the requirements.txt in securesystemslib to fix this (so it depends on cryptography<3.4 for python 2.7)?

[lukpueh]

So... in practice should we modify the requirements.txt in securesystemslib to fix this (so it depends on cryptography<3.4 for python 2.7)?

Yes, we should configure this in securesystemslib's requirements.txt and setup.py files, which fixes tuf user installs.

Independently, we also need to keep Dependabot from bumping cryptography in tuf's requirements-pinned.txt. We recently dealt with a similar problem with a transitive dependency (tuf->requests->idna) like so: #1259 (also see #1256 (comment) for context). But that case was a bit different, because requests pinned idna for any Python version, whereas we want to pin it for python < 3.6 only, and have dependabot still update it for python >= 3.6. I haven't checked if pip/dependabot support syntax like this, but I think this is what we want:

# in tuf/requirements-pinned.txt

cryptography<3.4;  python_version < '3.6'       # <-- ignored by dependabot
cryptography==3.4; python_version >= '3.6'      # <-- auto-bumped by dependabot

Also see #1249 for context and a feature request about requirements-pinned.txt.

[lukpueh]

cc @sechkova from the modern python packaging and dependency management special task force :)

[joshuagl]

My counter-proposal is that we just make a release ASAP, then stop worrying about python 2 – #1276

[dependabot]

Superseded by #1277.