Python Cryptographic Authority pyopenssl version before 17.5.0 has a use-after-free vulnerability in X509 object handling. This can result in a denial of service or potentially even code execution Upstream issue: https://github.com/pyca/pyopenssl/pull/723
Created pyOpenSSL tracking bugs for this issue: Affects: fedora-28 [bug 1640218] Affects: openstack-rdo [bug 1640219]
Based on discussions with engineering, and examination of the code we ship that uses pyOpenSSL, the severity of this issue has been downgraded. This vulnerability is only exposed when a verify callback stores a reference to the x509 object that will outlive the connection, which is a very unusual need for most applications. We have not observed any code exhibiting this pattern in Red Hat products.
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2019:0085 https://access.redhat.com/errata/RHSA-2019:0085
Statement: This vulnerability is only present when a specific and uncommon usage pattern of pyOpenSSL occurs. Red Hat Product Security has audited our packages that use pyOpenSSL, and determined that software we distribute in Red Hat Enterprise Linux and Red Hat Virtualization does not use pyOpenSSL in such a way as to be vulnerable. Future updates may address this issue.