[issue30585] [security][3.3] Backport smtplib fix for TLS stripping vulnerability, CVE-2016-0772

2017-07-18 Thread Ned Deily 

Ned Deily added the comment:

Merged for release in 3.3.7rc1

--
priority: release blocker -> 
resolution:  -> fixed
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30585] [security][3.3] Backport smtplib fix for TLS stripping vulnerability, CVE-2016-0772

2017-07-18 Thread Ned Deily 

Ned Deily added the comment:


New changeset 3625f7fd11679ecb390ffa58ef36d487acc8159b by Ned Deily (Victor 
Stinner) in branch '3.3':
[3.3] bpo-30585: [security] raise an error when STARTTLS fails (#225)
https://github.com/python/cpython/commit/3625f7fd11679ecb390ffa58ef36d487acc8159b


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30585] [security][3.3] Backport smtplib fix for TLS stripping vulnerability, CVE-2016-0772

2017-06-07 Thread STINNER Victor 

STINNER Victor added the comment:

PEP 398: Python 3.3 Release Schedule

Python 3.3 branch end of support is expected to be at 2017-09-29, in 4 months.

--
assignee:  -> georg.brandl

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue30585] [security][3.3] Backport smtplib fix for TLS stripping vulnerability, CVE-2016-0772

2017-06-07 Thread STINNER Victor 

New submission from STINNER Victor:

Attached pull request backports a fix for this security vulnerability:
http://python-security.readthedocs.io/vuln/cve-2016-0772_smtplib_tls_stripping.html

"A vulnerability in smtplib allowing MITM attacker to perform a startTLS 
stripping attack. smtplib does not seem to raise an exception when the remote 
end (SMTP server) is capable of negotiating starttls but fails to respond with 
220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious 
MITM to perform a startTLS stripping attack if the client code does not 
explicitly check the response code for startTLS."

Reported by: Tin (Team Oststrom)

Python 2.7, 3.4, 3.5 and 3.6 are already safe.

--
messages: 295319
nosy: georg.brandl, haypo
priority: release blocker
pull_requests: 2047
severity: normal
status: open
title: [security][3.3] Backport smtplib fix for TLS stripping vulnerability, 
CVE-2016-0772
type: security
versions: Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com