CVE-2018-1000807

NameCVE-2018-1000807
DescriptionPython Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pyopenssl (PTS)jessie0.14-1vulnerable
stretch16.2.0-1vulnerable
buster, sid18.0.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pyopensslsource(unstable)17.5.0-1

Notes

[jessie] - pyopenssl <no-dsa> (Minor issue, but also requires at least cryptography 2.1.4 which exposes the X509_up_ref method)
https://github.com/pyca/pyopenssl/pull/723
https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509

Search for package or bug name: Reporting problems