Описание
Security update for python-aiosmtpd
This update for python-aiosmtpd fixes the following issues:
- CVE-2024-34083: Fixed MiTM attack could inject extra unencrypted commands after STARTTLS (boo#1224467)
- CVE-2024-27305: Fixed SMTP smuggling (boo#1221328)
Список пакетов
SUSE Package Hub 15 SP5
openSUSE Leap 15.5
Ссылки
- E-Mail link for openSUSE-SU-2024:0243-1
- SUSE Security Ratings
- SUSE Bug 1221328
- SUSE Bug 1224467
- SUSE CVE CVE-2024-27305 page
- SUSE CVE CVE-2024-34083 page
Описание
aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Затронутые продукты
Ссылки
- CVE-2024-27305
- SUSE Bug 1221328
Описание
aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.
Затронутые продукты
Ссылки
- CVE-2024-34083
- SUSE Bug 1224467