https://bugzilla.suse.com/show_bug.cgi?id=1224467 Bug ID: 1224467 Summary: VUL-0: CVE-2024-34083: python-aiosmtpd: MiTM attack could inject extra unencrypted commands after STARTTLS Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/406536/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: python-maintainers@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: andrea.mattiazzo@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue. References: https://nostarttls.secvuln.info http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34083 https://www.cve.org/CVERecord?id=CVE-2024-34083 https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc38354... https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 https://bugzilla.redhat.com/show_bug.cgi?id=2281505 -- You are receiving this mail because: You are on the CC list for the bug.