andrewmusselman opened a new issue, #683:
URL: https://github.com/apache/tooling-trusted-releases/issues/683
**ASVS Requirement:** V12.2.1
**CWE:** CWE-319 (Cleartext Transmission of Sensitive Information)
**Severity:** HIGH
**File:** `atr/mail.py` (lines ~113–122)
### Description
The mail relay connection creates a properly configured TLS context (TLS 1.2
minimum), but connects to port 587 without initiating STARTTLS. Port 587 uses
"explicit TLS", meaning the connection starts unencrypted and must be upgraded
via STARTTLS. Without `start_tls=True` or an explicit `await smtp.starttls()`
call, email contents — including vote notifications and release information —
may be transmitted in cleartext.
### Current code
```python
async def _send_via_relay(from_addr: str, to_addr: str, msg_bytes: bytes) ->
None:
_validate_recipient(to_addr)
context = ssl.create_default_context()
context.minimum_version = ssl.TLSVersion.TLSv1_2
smtp = aiosmtplib.SMTP(hostname=_MAIL_RELAY, port=_SMTP_PORT,
timeout=_SMTP_TIMEOUT, tls_context=context)
await smtp.connect()
await smtp.ehlo()
await smtp.sendmail(from_addr, [to_addr], msg_bytes)
await smtp.quit()
```
### Recommended fix
Add `start_tls=True` to the SMTP constructor:
```python
smtp = aiosmtplib.SMTP(
hostname=_MAIL_RELAY,
port=_SMTP_PORT,
timeout=_SMTP_TIMEOUT,
tls_context=context,
start_tls=True,
)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
