Message 295319 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	georg.brandl, vstinner
Date	2017-06-07.08:36:32
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1496824592.96.0.351417246075.issue30585@psf.upfronthosting.co.za>
In-reply-to

Content
Attached pull request backports a fix for this security vulnerability: http://python-security.readthedocs.io/vuln/cve-2016-0772_smtplib_tls_stripping.html "A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib does not seem to raise an exception when the remote end (SMTP server) is capable of negotiating starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly check the response code for startTLS." Reported by: Tin (Team Oststrom) Python 2.7, 3.4, 3.5 and 3.6 are already safe.

Attached pull request backports a fix for this security vulnerability:
http://python-security.readthedocs.io/vuln/cve-2016-0772_smtplib_tls_stripping.html

"A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib does not seem to raise an exception when the remote end (SMTP server) is capable of negotiating starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly check the response code for startTLS."

Reported by: Tin (Team Oststrom)

Python 2.7, 3.4, 3.5 and 3.6 are already safe.

History
Date	User	Action	Args
2017-06-07 08:36:32	vstinner	set	recipients: + vstinner, georg.brandl
2017-06-07 08:36:32	vstinner	set	messageid: <1496824592.96.0.351417246075.issue30585@psf.upfronthosting.co.za>
2017-06-07 08:36:32	vstinner	link	issue30585 messages
2017-06-07 08:36:32	vstinner	create