diff -Nru python-cryptography-1.2.3/debian/changelog python-cryptography-1.2.3/debian/changelog
--- python-cryptography-1.2.3/debian/changelog	2016-11-17 15:20:34.000000000 +0000
+++ python-cryptography-1.2.3/debian/changelog	2018-10-18 11:19:53.000000000 +0000
@@ -1,3 +1,10 @@
+python-cryptography (1.2.3-1ubuntu0.2) xenial-security; urgency=medium
+
+  * debian/patches/add_x509_up_ref.patch: add X509_up_ref function for
+    pyopenssl security update.
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 18 Oct 2018 07:18:59 -0400
+
 python-cryptography (1.2.3-1ubuntu0.1) xenial-security; urgency=medium
 
   * SECURITY UPDATE: HKDF might return an empty byte-string
diff -Nru python-cryptography-1.2.3/debian/patches/add_x509_up_ref.patch python-cryptography-1.2.3/debian/patches/add_x509_up_ref.patch
--- python-cryptography-1.2.3/debian/patches/add_x509_up_ref.patch	1970-01-01 00:00:00.000000000 +0000
+++ python-cryptography-1.2.3/debian/patches/add_x509_up_ref.patch	2018-10-18 11:18:51.000000000 +0000
@@ -0,0 +1,32 @@
+Backport of:
+
+From 4cc3b909bcf9e1dda67788c29c0c7770d2c67ffe Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Wed, 29 Nov 2017 12:34:42 +0800
+Subject: [PATCH] add X509_up_ref (#4028)
+
+---
+ src/_cffi_src/openssl/x509.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: python-cryptography-1.2.3/src/_cffi_src/openssl/x509.py
+===================================================================
+--- python-cryptography-1.2.3.orig/src/_cffi_src/openssl/x509.py	2018-10-18 07:17:41.948768700 -0400
++++ python-cryptography-1.2.3/src/_cffi_src/openssl/x509.py	2018-10-18 07:18:32.496806492 -0400
+@@ -122,6 +122,7 @@ X509 *X509_new(void);
+ void X509_free(X509 *);
+ X509 *X509_dup(X509 *);
+ int X509_cmp(const X509 *, const X509 *);
++int X509_up_ref(X509 *);
+ 
+ int X509_print_ex(BIO *, X509 *, unsigned long, unsigned long);
+ 
+@@ -375,4 +376,8 @@ X509_REVOKED *Cryptography_X509_REVOKED_
+     return ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), rev);
+ }
+ 
++int X509_up_ref(X509 *x) {
++   return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
++}
++
+ """
diff -Nru python-cryptography-1.2.3/debian/patches/series python-cryptography-1.2.3/debian/patches/series
--- python-cryptography-1.2.3/debian/patches/series	2016-11-17 15:20:30.000000000 +0000
+++ python-cryptography-1.2.3/debian/patches/series	2018-10-18 11:17:38.000000000 +0000
@@ -1,2 +1,3 @@
 0001-Actually-allocate-a-buffer-that-is-the-correct-size.patch
 CVE-2016-9243.patch
+add_x509_up_ref.patch