Bug 1303647 (CVE-2016-0772)
Summary: | CVE-2016-0772 python: smtplib StartTLS stripping attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | carnil, cbuissar, cheimes, cstratak, jorton, katzj, kevin, mcyprian, mhroncok, mmaslano, pviktori, python-sig, sardella, security-response-team, slawomir, tomspur, torsava |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-08-18 20:56:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1346344, 1346345, 1346346, 1346354, 1346355, 1346356, 1346357, 1346358, 1346359, 1346360, 1346361, 1348973, 1351679, 1351680, 1351681, 1351682, 1351684 | ||
Bug Blocks: | 1303701 |
Description
Adam Mariš
2016-02-01 15:04:23 UTC
Patch : Branch 2.7 : https://hg.python.org/cpython/rev/b3ce713fb9be Branch 3.4 : https://hg.python.org/cpython/rev/d590114c2394 Created python tracking bugs for this issue: Affects: fedora-all [bug 1346344] Created python26 tracking bugs for this issue: Affects: epel-5 [bug 1346346] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1346345] Unembargoing : flaw and patch are now public Created python34 tracking bugs for this issue: Affects: epel-7 [bug 1348973] python-2.7.11-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. python-2.7.11-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. pypy and pypy3 in Fedora are affected as well Created pypy tracking bugs for this issue: Affects: fedora-all [bug 1351679] Created pypy3 tracking bugs for this issue: Affects: fedora-all [bug 1351680] Created pypy tracking bugs for this issue: Affects: epel-5 [bug 1351681] Affects: epel-6 [bug 1351682] Affects: epel-7 [bug 1351684] python3-3.5.1-9.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. pypy3-2.4.0-6.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. pypy-5.0.1-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. pypy-4.0.1-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. python3-3.4.3-9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. pypy-5.0.1-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. pypy3-2.4.0-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. python-2.7.10-10.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. python3-3.4.2-8.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. pypy3-2.4.0-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. python34-3.4.3-5.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Via RHSA-2016:1627 https://rhn.redhat.com/errata/RHSA-2016-1627.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Via RHSA-2016:1626 https://rhn.redhat.com/errata/RHSA-2016-1626.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1628 https://rhn.redhat.com/errata/RHSA-2016-1628.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1630 https://rhn.redhat.com/errata/RHSA-2016-1630.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1629 https://rhn.redhat.com/errata/RHSA-2016-1629.html |