diff -Nru python-cryptography-1.2.3/debian/changelog python-cryptography-1.2.3/debian/changelog
--- python-cryptography-1.2.3/debian/changelog	2016-03-05 03:41:17.000000000 +0000
+++ python-cryptography-1.2.3/debian/changelog	2018-10-18 11:19:53.000000000 +0000
@@ -1,3 +1,20 @@
+python-cryptography (1.2.3-1ubuntu0.2) xenial-security; urgency=medium
+
+  * debian/patches/add_x509_up_ref.patch: add X509_up_ref function for
+    pyopenssl security update.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 18 Oct 2018 07:18:59 -0400
+
+python-cryptography (1.2.3-1ubuntu0.1) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: HKDF might return an empty byte-string
+    - debian/patches/CVE-2016-9243.patch: fix short length handling in
+      src/cryptography/hazmat/primitives/kdf/hkdf.py, added test to
+      tests/hazmat/primitives/test_hkdf.py.
+    - CVE-2016-9243
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 17 Nov 2016 10:20:34 -0500
+
 python-cryptography (1.2.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru python-cryptography-1.2.3/debian/control python-cryptography-1.2.3/debian/control
--- python-cryptography-1.2.3/debian/control	2016-03-05 03:41:17.000000000 +0000
+++ python-cryptography-1.2.3/debian/control	2016-11-17 15:20:47.000000000 +0000
@@ -1,5 +1,6 @@
 Source: python-cryptography
-Maintainer: Tristan Seligmann <mithrandi@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Tristan Seligmann <mithrandi@debian.org>
 Section: python
 Priority: optional
 Build-Depends:
diff -Nru python-cryptography-1.2.3/debian/patches/add_x509_up_ref.patch python-cryptography-1.2.3/debian/patches/add_x509_up_ref.patch
--- python-cryptography-1.2.3/debian/patches/add_x509_up_ref.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-cryptography-1.2.3/debian/patches/add_x509_up_ref.patch	2018-10-18 11:18:51.000000000 +0000
@@ -0,0 +1,32 @@
+Backport of:
+
+From 4cc3b909bcf9e1dda67788c29c0c7770d2c67ffe Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Wed, 29 Nov 2017 12:34:42 +0800
+Subject: [PATCH] add X509_up_ref (#4028)
+
+---
+ src/_cffi_src/openssl/x509.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: python-cryptography-1.2.3/src/_cffi_src/openssl/x509.py
+===================================================================
+--- python-cryptography-1.2.3.orig/src/_cffi_src/openssl/x509.py	2018-10-18 07:17:41.948768700 -0400
++++ python-cryptography-1.2.3/src/_cffi_src/openssl/x509.py	2018-10-18 07:18:32.496806492 -0400
+@@ -122,6 +122,7 @@ X509 *X509_new(void);
+ void X509_free(X509 *);
+ X509 *X509_dup(X509 *);
+ int X509_cmp(const X509 *, const X509 *);
++int X509_up_ref(X509 *);
+ 
+ int X509_print_ex(BIO *, X509 *, unsigned long, unsigned long);
+ 
+@@ -375,4 +376,8 @@ X509_REVOKED *Cryptography_X509_REVOKED_
+     return ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), rev);
+ }
+ 
++int X509_up_ref(X509 *x) {
++   return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
++}
++
+ """
diff -Nru python-cryptography-1.2.3/debian/patches/CVE-2016-9243.patch python-cryptography-1.2.3/debian/patches/CVE-2016-9243.patch
--- python-cryptography-1.2.3/debian/patches/CVE-2016-9243.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-cryptography-1.2.3/debian/patches/CVE-2016-9243.patch	2016-11-17 15:20:29.000000000 +0000
@@ -0,0 +1,45 @@
+From b924696b2e8731f39696584d12cceeb3aeb2d874 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Sat, 5 Nov 2016 22:08:21 -0400
+Subject: [PATCH] Fixes #3211 -- fixed hkdf's output with short length (#3215)
+
+---
+ src/cryptography/hazmat/primitives/kdf/hkdf.py |  2 +-
+ tests/hazmat/primitives/test_hkdf.py           | 11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/primitives/kdf/hkdf.py b/src/cryptography/hazmat/primitives/kdf/hkdf.py
+index f738bbd..82ed9b1 100644
+--- a/src/cryptography/hazmat/primitives/kdf/hkdf.py
++++ b/src/cryptography/hazmat/primitives/kdf/hkdf.py
+@@ -91,7 +91,7 @@ def _expand(self, key_material):
+         output = [b""]
+         counter = 1
+ 
+-        while (self._algorithm.digest_size // 8) * len(output) < self._length:
++        while self._algorithm.digest_size * (len(output) - 1) < self._length:
+             h = hmac.HMAC(key_material, self._algorithm, backend=self._backend)
+             h.update(output[-1])
+             h.update(self._info)
+diff --git a/tests/hazmat/primitives/test_hkdf.py b/tests/hazmat/primitives/test_hkdf.py
+index e33529c..a05fd75 100644
+--- a/tests/hazmat/primitives/test_hkdf.py
++++ b/tests/hazmat/primitives/test_hkdf.py
+@@ -142,6 +142,17 @@ def test_unicode_typeerror(self, backend):
+ 
+             hkdf.verify(b"foo", u"bar")
+ 
++    def test_derive_short_output(self, backend):
++        hkdf = HKDF(
++            hashes.SHA256(),
++            4,
++            salt=None,
++            info=None,
++            backend=backend
++        )
++
++        assert hkdf.derive(b"\x01" * 16) == b"gJ\xfb{"
++
+ 
+ @pytest.mark.requires_backend_interface(interface=HMACBackend)
+ class TestHKDFExpand(object):
diff -Nru python-cryptography-1.2.3/debian/patches/series python-cryptography-1.2.3/debian/patches/series
--- python-cryptography-1.2.3/debian/patches/series	2016-03-05 03:41:17.000000000 +0000
+++ python-cryptography-1.2.3/debian/patches/series	2018-10-18 11:17:38.000000000 +0000
@@ -1 +1,3 @@
 0001-Actually-allocate-a-buffer-that-is-the-correct-size.patch
+CVE-2016-9243.patch
+add_x509_up_ref.patch