CVE-2019-5010: TALOS-2018-0758 SSL CRL distribution points Denial of Service

An exploitable denial-of-service vulnerability exists in the X509 certificate parser of Python.org Python 2.7.11 / 3.6.6. A specially crafted X509 certificate can cause a NULL pointer dereference, resulting in a denial of service. An attacker can initiate or accept TLS connections using crafted certificates to trigger this vulnerability.

This resolves CVE-2019-5010

Patch by Christian Heimes.

  • Disclosure date: 2019-01-15 (Python issue bpo-35746 reported)
  • Reported at: 2019-01-15
  • Reported by: Colin Read and Nicolas Edet of Cisco.

Vulnerable Versions

  • Python 2.7
  • Python 3.4
  • Python 3.5
  • Python 3.6
  • Python 3.7

Python issue

[ssl][CVE-2019-5010] TALOS-2018-0758 Denial of Service.

  • Python issue: bpo-35746
  • Creation date: 2019-01-15
  • Reporter: Cisco Talos

Timeline

Timeline using the disclosure date 2019-01-15 as reference: