Security update for python-cryptography, python-pyOpenSSL SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1104-1 Final 1 1 2019-04-02T10:59:37Z current 2019-04-02T10:59:37Z 2019-04-02T10:59:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-cryptography, python-pyOpenSSL This update for python-cryptography, python-pyOpenSSL fixes the following issues: Security issues fixed: - CVE-2018-1000808: A memory leak due to missing reference checking in PKCS#12 store handling was fixed (bsc#1111634) - CVE-2018-1000807: A use-after-free in X509 object handling was fixed (bsc#1111635) This update also contains the following tracked bug fixes: - avoid bad interaction with python-cryptography package. (bsc#1021578) - Avoid regression accessesing non-existing attribute _from_raw_x509_ptr in object X509 (bsc#1119077) - Add python-setuptools as a requirement. (bsc#1052927) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html E-Mail link for openSUSE-SU-2019:1104-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 python-cryptography-1.3.1-5.3.1 python-pyOpenSSL-16.0.0-5.8.2 python-pyOpenSSL-doc-16.0.0-5.8.2 python3-cryptography-1.3.1-5.3.1 python3-pyOpenSSL-16.0.0-5.8.2 python3-pyOpenSSL-doc-16.0.0-5.8.2 python-cryptography-1.3.1-5.3.1 as a component of openSUSE Leap 42.3 python-pyOpenSSL-16.0.0-5.8.2 as a component of openSUSE Leap 42.3 python-pyOpenSSL-doc-16.0.0-5.8.2 as a component of openSUSE Leap 42.3 python3-cryptography-1.3.1-5.3.1 as a component of openSUSE Leap 42.3 python3-pyOpenSSL-16.0.0-5.8.2 as a component of openSUSE Leap 42.3 python3-pyOpenSSL-doc-16.0.0-5.8.2 as a component of openSUSE Leap 42.3 Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0. CVE-2018-1000807 openSUSE Leap 42.3:python-cryptography-1.3.1-5.3.1 openSUSE Leap 42.3:python-pyOpenSSL-16.0.0-5.8.2 openSUSE Leap 42.3:python-pyOpenSSL-doc-16.0.0-5.8.2 openSUSE Leap 42.3:python3-cryptography-1.3.1-5.3.1 openSUSE Leap 42.3:python3-pyOpenSSL-16.0.0-5.8.2 openSUSE Leap 42.3:python3-pyOpenSSL-doc-16.0.0-5.8.2 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html https://www.suse.com/security/cve/CVE-2018-1000807.html CVE-2018-1000807 https://bugzilla.suse.com/1111634 SUSE Bug 1111634 https://bugzilla.suse.com/1111635 SUSE Bug 1111635 Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability appears to have been fixed in 17.5.0. CVE-2018-1000808 openSUSE Leap 42.3:python-cryptography-1.3.1-5.3.1 openSUSE Leap 42.3:python-pyOpenSSL-16.0.0-5.8.2 openSUSE Leap 42.3:python-pyOpenSSL-doc-16.0.0-5.8.2 openSUSE Leap 42.3:python3-cryptography-1.3.1-5.3.1 openSUSE Leap 42.3:python3-pyOpenSSL-16.0.0-5.8.2 openSUSE Leap 42.3:python3-pyOpenSSL-doc-16.0.0-5.8.2 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html https://www.suse.com/security/cve/CVE-2018-1000808.html CVE-2018-1000808 https://bugzilla.suse.com/1111634 SUSE Bug 1111634 https://bugzilla.suse.com/1111635 SUSE Bug 1111635