* CVE-2018-1000872: Resource Management Errors (similar issue to

    CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
    server can be made unavailable by one or more clients opening all of the
    available sockets. Applied upstream patch: Fix a denial-of-service bug by
    setting the server socket timeout (Closes: #917030).

debian/changelog

+python-pykmip (0.5.0-4+deb9u1) stretch-security; urgency=medium
+
+  * CVE-2018-1000872: Resource Management Errors (similar issue to
+    CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the
+    server can be made unavailable by one or more clients opening all of the
+    available sockets. Applied upstream patch: Fix a denial-of-service bug by
+    setting the server socket timeout (Closes: #917030).
+
+ -- Thomas Goirand <zigo@debian.org>  Sun, 24 Feb 2019 17:43:42 +0100
+
 python-pykmip (0.5.0-4) unstable; urgency=medium
 
   * Team upload.

debian/patches/CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch

+Description: CVE-2018-1000872: Fix a denial-of-service bug by setting the server socket timeout
+ This change fixes a potential denial-of-service bug with the
+ server, setting a default timeout for all server sockets. This
+ allows the server to drop hung connections without blocking
+ forever. The interrupt triggered during accept calls is expected
+ and is now handled appropriately. Server unit tests have been
+ updated to reflect this change.
+Author: Peter Hamilton <peter.allen.hamilton@gmail.com>
+Date: Tue, 24 Apr 2018 21:57:20 -0400
+Origin: upstream, https://github.com/OpenKMIP/PyKMIP/commit/3a7b880bdf70d295ed8af3a5880bab65fa6b3932
+Bug-Debian: https://bugs.debian.org/917030
+Last-Update: 2019-02-24
+
+Index: python-pykmip/kmip/services/server/server.py
+===================================================================
+--- python-pykmip.orig/kmip/services/server/server.py
++++ python-pykmip/kmip/services/server/server.py
+@@ -176,6 +176,7 @@ class KmipServer(object):
+         self._logger.info("Starting server socket handler.")
+ 
+         # Create a TCP stream socket and configure it for immediate reuse.
++        socket.setdefaulttimeout(10)
+         self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+         self._socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+ 
+@@ -283,6 +284,11 @@ class KmipServer(object):
+         while self._is_serving:
+             try:
+                 connection, address = self._socket.accept()
++            except socket.timeout:
++                # Setting the default socket timeout to break hung connections
++                # will cause accept to periodically raise socket.timeout. This
++                # is expected behavior, so ignore it and retry accept.
++                pass
+             except socket.error as e:
+                 if e.errno == errno.EINTR:
+                     self._logger.warning("Interrupting connection service.")
+Index: python-pykmip/kmip/tests/unit/services/server/test_server.py
+===================================================================
+--- python-pykmip.orig/kmip/tests/unit/services/server/test_server.py
++++ python-pykmip/kmip/tests/unit/services/server/test_server.py
+@@ -342,7 +342,11 @@ class TestKmipServer(testtools.TestCase)
+ 
+         # Test the expected behavior for a normal server/interrupt sequence
+         s._socket.accept = mock.MagicMock(
+-            side_effect=[('connection', 'address'), expected_error]
++            side_effect=[
++                ('connection', 'address'),
++                socket.timeout,
++                expected_error
++            ]
+         )
+ 
+         s.serve()

debian/patches/series

+CVE-2018-1000872_Fix_a_denial-of-service_bug_by_setting_the_server_socket_timeout.patch