Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Whitelist pyOpenSSL 0.13.1 for IDs 36533/36534. #2293

Closed
dumol opened this issue Nov 27, 2018 · 2 comments
Closed

Whitelist pyOpenSSL 0.13.1 for IDs 36533/36534. #2293

dumol opened this issue Nov 27, 2018 · 2 comments
Assignees
@SCH227
Labels
bad-spec Bad specification range

Comments

@dumol
Copy link

dumol commented Nov 27, 2018

  • safety version: 1.8.4
  • Python version: 2.7.15
  • Operating System: Solaris 10u11, HP-UX 11.31.

Description

pyOpenSSL vulnerabilities with IDs 36533/36534, corresponding to CVE-2018-1000807 and CVE-2018-1000807, fixed upstream in pyca/pyopenssl#723 do not seem to be applicable to pyOpenSSL version 0.13.1.

Although quite old, pyOpenSSL version 0.13.1 doesn't require the cffi-based OpenSSL bindings provided by the cryptography module, so it's still relevant on platforms such as Solaris 10 or HP-UX, which are not supported by cryptography.

What I Did

For example, on a SPARC machine running Solaris 10u11, we have the following packages installed:

Package      Version Latest Type 
------------ ------- ------ -----
pip          9.0.3   18.1   wheel
pycparser    2.14    2.19   sdist
pycryptodome 3.6.6   3.7.0  sdist
pyOpenSSL    0.13.1  18.0.0 wheel
setuptools   39.0.1  40.6.2 wheel
wheel        0.26.0  0.32.2 wheel

But lately safety will complain for pyOpenSSL:

safety report
checked 22 packages, using default DB
---
-> pyopenssl, installed 0.13.1, affected <17.5.0, id 36533
Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.
--
-> pyopenssl, installed 0.13.1, affected <17.5.0, id 36534
Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS pyupio/safety#12 Store that can result in Denial of service if memory runs low or is exhausted.
--

Please check for these vulnerabilities only for older pyOpenSSL versions. Not sure where they were introduced, but 0.13.1 doesn't seem to be affected.

Thank you!
@rafaelpivato rafaelpivato transferred this issue from pyupio/safety Mar 23, 2020
@rafaelpivato rafaelpivato added the bad-spec Bad specification range label Mar 27, 2020
@SCH227
Copy link

SCH227 commented Apr 2, 2022

@dumol thank you a lot for reporting this issue.

It seems the cryptography dependency was introduced in release 0.14a2.
pyca/pyopenssl@5d97b41
The specs for these vulnerabilities have been fixed now in our db.

Sorry for the late reply, here we are if you need anything else!

@SCH227 SCH227 closed this as completed Apr 2, 2022
@dumol
Copy link
Author

dumol commented Apr 4, 2022

Thanks! Better late than never… ;-]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SCH227 SCH227

Labels
bad-spec Bad specification range
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dumol @rafaelpivato @SCH227