You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Although quite old, pyOpenSSL version 0.13.1 doesn't require the cffi-based OpenSSL bindings provided by the cryptography module, so it's still relevant on platforms such as Solaris 10 or HP-UX, which are not supported by cryptography.
What I Did
For example, on a SPARC machine running Solaris 10u11, we have the following packages installed:
safety report
checked 22 packages, using default DB
---
-> pyopenssl, installed 0.13.1, affected <17.5.0, id 36533
Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.
--
-> pyopenssl, installed 0.13.1, affected <17.5.0, id 36534
Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS pyupio/safety#12 Store that can result in Denial of service if memory runs low or is exhausted.
--
Please check for these vulnerabilities only for older pyOpenSSL versions. Not sure where they were introduced, but 0.13.1 doesn't seem to be affected.
Thank you!
The text was updated successfully, but these errors were encountered:
It seems the cryptography dependency was introduced in release 0.14a2. pyca/pyopenssl@5d97b41
The specs for these vulnerabilities have been fixed now in our db.
Sorry for the late reply, here we are if you need anything else!
Description
pyOpenSSL vulnerabilities with IDs 36533/36534, corresponding to CVE-2018-1000807 and CVE-2018-1000807, fixed upstream in pyca/pyopenssl#723 do not seem to be applicable to pyOpenSSL version 0.13.1.
Although quite old, pyOpenSSL version 0.13.1 doesn't require the cffi-based OpenSSL bindings provided by the
cryptography
module, so it's still relevant on platforms such as Solaris 10 or HP-UX, which are not supported bycryptography
.What I Did
For example, on a SPARC machine running Solaris 10u11, we have the following packages installed:
But lately
safety
will complain for pyOpenSSL:Please check for these vulnerabilities only for older pyOpenSSL versions. Not sure where they were introduced, but 0.13.1 doesn't seem to be affected.
Thank you!
The text was updated successfully, but these errors were encountered: