[Bug 1224467] New: VUL-0: CVE-2024-34083: python-aiosmtpd: MiTM attack could inject extra unencrypted commands after STARTTLS
https://bugzilla.suse.com/show_bug.cgi?id=1224467 Bug ID: 1224467 Summary: VUL-0: CVE-2024-34083: python-aiosmtpd: MiTM attack could inject extra unencrypted commands after STARTTLS Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/406536/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: python-maintainers@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: andrea.mattiazzo@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue. References: https://nostarttls.secvuln.info http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-34083 https://www.cve.org/CVERecord?id=CVE-2024-34083 https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc38354... https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 https://bugzilla.redhat.com/show_bug.cgi?id=2281505 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224467 https://bugzilla.suse.com/show_bug.cgi?id=1224467#c1 --- Comment #1 from Andrea Mattiazzo <andrea.mattiazzo@suse.com> --- Tracking as affected: - openSUSE:Backports:SLE-15-SP5/python-aiosmtpd - openSUSE:Backports:SLE-15-SP6/python-aiosmtpd - openSUSE:Factory/python-aiosmtpd -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224467 Maintenance Automation <maint-coord+maintenance-robot@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224467 Daniel Garcia <daniel.garcia@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |daniel.garcia@suse.com Assignee|python-maintainers@suse.com |daniel.garcia@suse.com Status|NEW |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224467 Daniel Garcia <daniel.garcia@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|daniel.garcia@suse.com |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1224467 https://bugzilla.suse.com/show_bug.cgi?id=1224467#c4 --- Comment #4 from Marcus Meissner <meissner@suse.com> --- openSUSE-SU-2024:0243-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1221328,1224467 CVE References: CVE-2024-27305,CVE-2024-34083 JIRA References: Sources used: openSUSE Backports SLE-15-SP5 (src): python-aiosmtpd-1.2.1-bp155.3.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com