Bug 1303647 (CVE-2016-0772)

Summary: CVE-2016-0772 python: smtplib StartTLS stripping attack
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, cbuissar, cheimes, cstratak, jorton, katzj, kevin, mcyprian, mhroncok, mmaslano, pviktori, python-sig, sardella, security-response-team, slawomir, tomspur, torsava
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-18 20:56:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1346344, 1346345, 1346346, 1346354, 1346355, 1346356, 1346357, 1346358, 1346359, 1346360, 1346361, 1348973, 1351679, 1351680, 1351681, 1351682, 1351684    
Bug Blocks: 1303701    

Description Adam Mariš 2016-02-01 15:04:23 UTC 
A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib does not seem to raise an exception when the remote end (smtp server) is capable of negotiating starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly check the response code for startTLS.
Comment 7 Cedric Buissart 2016-06-13 11:19:31 UTC 
Patch :

Branch 2.7 : https://hg.python.org/cpython/rev/b3ce713fb9be
Branch 3.4 : https://hg.python.org/cpython/rev/d590114c2394
Comment 9 Cedric Buissart 2016-06-14 15:10:03 UTC 
Created python tracking bugs for this issue:

Affects: fedora-all [bug 1346344]
Comment 10 Cedric Buissart 2016-06-14 15:10:09 UTC 
Created python26 tracking bugs for this issue:

Affects: epel-5 [bug 1346346]
Comment 11 Cedric Buissart 2016-06-14 15:10:14 UTC 
Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1346345]
Comment 12 Cedric Buissart 2016-06-14 15:14:19 UTC 
Unembargoing : flaw and patch are now public
Comment 20 Cedric Buissart 2016-06-22 12:25:35 UTC 
Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 1348973]
Comment 21 Fedora Update System 2016-06-23 17:53:42 UTC 
python-2.7.11-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2016-06-24 23:22:20 UTC 
python-2.7.11-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 23 Miro Hrončok 2016-06-30 12:34:51 UTC 
pypy and pypy3 in Fedora are affected as well
Comment 24 Cedric Buissart 2016-06-30 14:46:55 UTC 
Created pypy tracking bugs for this issue:

Affects: fedora-all [bug 1351679]
Comment 25 Cedric Buissart 2016-06-30 14:47:08 UTC 
Created pypy3 tracking bugs for this issue:

Affects: fedora-all [bug 1351680]
Comment 26 Cedric Buissart 2016-06-30 14:49:45 UTC 
Created pypy tracking bugs for this issue:

Affects: epel-5 [bug 1351681]
Affects: epel-6 [bug 1351682]
Affects: epel-7 [bug 1351684]
Comment 27 Fedora Update System 2016-06-30 21:28:53 UTC 
python3-3.5.1-9.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2016-07-05 04:54:33 UTC 
pypy3-2.4.0-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2016-07-05 04:55:57 UTC 
pypy-5.0.1-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2016-07-05 08:23:48 UTC 
pypy-4.0.1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 31 Fedora Update System 2016-07-05 08:24:37 UTC 
python3-3.4.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2016-07-11 23:19:14 UTC 
pypy-5.0.1-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2016-07-12 02:20:34 UTC 
pypy3-2.4.0-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 34 Fedora Update System 2016-07-12 02:22:17 UTC 
python-2.7.10-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 35 Fedora Update System 2016-07-12 02:22:56 UTC 
python3-3.4.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2016-07-12 02:24:29 UTC 
pypy3-2.4.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 37 Fedora Update System 2016-07-30 18:20:29 UTC 
python34-3.4.3-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 38 errata-xmlrpc 2016-08-18 18:04:13 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2016:1627 https://rhn.redhat.com/errata/RHSA-2016-1627.html
Comment 39 errata-xmlrpc 2016-08-18 18:39:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1626 https://rhn.redhat.com/errata/RHSA-2016-1626.html
Comment 40 errata-xmlrpc 2016-08-18 20:08:35 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1628 https://rhn.redhat.com/errata/RHSA-2016-1628.html
Comment 41 errata-xmlrpc 2016-08-18 20:29:30 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1630 https://rhn.redhat.com/errata/RHSA-2016-1630.html
Comment 42 errata-xmlrpc 2016-08-18 20:30:48 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1629 https://rhn.redhat.com/errata/RHSA-2016-1629.html