Описание
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | python | Will not fix | ||
| Red Hat Enterprise Linux 6 | python | Fixed | RHSA-2016:1626 | 18.08.2016 |
| Red Hat Enterprise Linux 7 | python | Fixed | RHSA-2016:1626 | 18.08.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | python27-python | Fixed | RHSA-2016:1628 | 18.08.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | python33-python | Fixed | RHSA-2016:1629 | 18.08.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-python34-python | Fixed | RHSA-2016:1630 | 18.08.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS | python27-python | Fixed | RHSA-2016:1628 | 18.08.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS | python33-python | Fixed | RHSA-2016:1629 | 18.08.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS | rh-python34-python | Fixed | RHSA-2016:1630 | 18.08.2016 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS | python27-python | Fixed | RHSA-2016:1628 | 18.08.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
5.8 Medium
CVSS2
Связанные уязвимости
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before ...
The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
EPSS
4.8 Medium
CVSS3
5.8 Medium
CVSS2