blob: 058050795401bf5d6a7f463bd56f67fcda168042 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
# HG changeset patch
# User Benjamin Peterson <benjamin@python.org>
# Date 1465676202 25200
# Node ID b3ce713fb9beebfff9848cefa0acbd59acc68fe9
# Parent 3017e41b0c99d24e88faf1de447f230e2f64d122
raise an error when STARTTLS fails
Upstream-status: Backport
CVE: CVE-2016-0772
Signed-off-by: Armin Kuster <akuster@mvista.com>
Index: Python-2.7.9/Lib/smtplib.py
===================================================================
--- Python-2.7.9.orig/Lib/smtplib.py
+++ Python-2.7.9/Lib/smtplib.py
@@ -656,6 +656,11 @@ class SMTP:
self.ehlo_resp = None
self.esmtp_features = {}
self.does_esmtp = 0
+ else:
+ # RFC 3207:
+ # 501 Syntax error (no parameters allowed)
+ # 454 TLS not available due to temporary reason
+ raise SMTPResponseException(resp, reply)
return (resp, reply)
def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
Index: Python-2.7.9/Misc/NEWS
===================================================================
--- Python-2.7.9.orig/Misc/NEWS
+++ Python-2.7.9/Misc/NEWS
@@ -5136,6 +5136,9 @@ Library
- Issue #8140: Extend compileall to compile single files. Add -i option.
+- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team
+ Oststrom
+
- Issue #7356: ctypes.util: Make parsing of ldconfig output independent of the
locale.
|