CVE-2018-1000808

Priority
Description
Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a
CWE - 401 : Failure to Release Memory Before Removing Last Reference
vulnerability in PKCS #12 Store that can result in Denial of service if
memory runs low or is exhausted. This attack appear to be exploitable via
Depends upon calling application, however it could be as simple as
initiating a TLS connection. Anything that would cause the calling
application to reload certificates from a PKCS #12 store.. This
vulnerability appears to have been fixed in 17.5.0.
Notes
 mdeslaur> requires python-cryptography 2.1.4 which adds X509_up_ref, see
 mdeslaur> https://github.com/pyca/cryptography/pull/4028
Assigned-to
mdeslaur
Package
Upstream:released (17.5.0)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (code not present)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):released (0.15.1-2ubuntu0.2)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (17.5.0-1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (17.5.0-1)
Ubuntu 19.04 (Disco Dingo):not-affected (17.5.0-1)
Patches:
Upstream:https://github.com/pyca/pyopenssl/pull/723
Upstream:https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509
More Information

Updated: 2018-11-08 16:15:01 UTC (commit c62a932fd322f44757e5f89e1e1d6fd51b55200a)