[3.7] py-openssl: Multiple vulnerabilities (CVE-2018-1000807, CVE-2018-1000808)
CVE-2018-1000807: Use-after-free in X509 object handling
Python Cryptographic Authority pyopenssl version before 17.5.0 has a
use-after-free vulnerability
in X509 object handling. This can result in a denial of service or
potentially even code execution.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000807
Patch:
https://github.com/pyca/pyopenssl/pull/723
CVE-2018-1000808: Failure to release memory before removing last reference in PKCS #12 (closed) Store
Python Cryptographic Authority pyopenssl version before 17.5.0 fails to
release memory before removing last reference
in PKCS #12 (closed) Store. This can result in a Denial of service if memory
runs low or is exhausted.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-1000808
Patch:
https://github.com/pyca/pyopenssl/pull/723
(from redmine: issue id 9867, created on 2019-01-18, closed on 2019-01-18)
- Relations:
- parent #9865 (closed)
- Changesets:
- Revision 2b8672c5 by Natanael Copa on 2019-01-18T16:20:56Z:
main/py-openssl: security upgrade to 17.5.0
CVE-2018-1000807, CVE-2018-1000808
fixes #9867