PublicDateAtUSN: 2018-10-08
Candidate: CVE-2018-1000808
PublicDate: 2018-10-08 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000808
 https://ubuntu.com/security/notices/USN-3813-1
Description:
 Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a
 CWE - 401 : Failure to Release Memory Before Removing Last Reference
 vulnerability in PKCS #12 Store that can result in Denial of service if
 memory runs low or is exhausted. This attack appear to be exploitable via
 Depends upon calling application, however it could be as simple as
 initiating a TLS connection. Anything that would cause the calling
 application to reload certificates from a PKCS #12 store.. This
 vulnerability appears to have been fixed in 17.5.0.
Ubuntu-Description:
Notes:
 mdeslaur> requires python-cryptography 2.1.4 which adds X509_up_ref, see
 mdeslaur> https://github.com/pyca/cryptography/pull/4028
Bugs:
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H [5.9 MEDIUM]


Patches_pyopenssl:
 upstream: https://github.com/pyca/pyopenssl/pull/723
 upstream: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509
upstream_pyopenssl: released (17.5.0)
precise/esm_pyopenssl: not-affected (code not present)
trusty_pyopenssl: not-affected (code not present)
trusty/esm_pyopenssl: not-affected (code not present)
xenial_pyopenssl: released (0.15.1-2ubuntu0.2)
esm-infra/xenial_pyopenssl: released (0.15.1-2ubuntu0.2)
bionic_pyopenssl: not-affected (17.5.0-1)
cosmic_pyopenssl: not-affected (17.5.0-1)
devel_pyopenssl: not-affected (17.5.0-1)