Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647)
Raise an error when STARTTLS fails. - rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 - rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344 - Fixed upstream: https://hg.python.org/cpython/rev/b3ce713fb9be
This commit is contained in:
parent
138d744295
commit
570612449e
|
@ -0,0 +1,35 @@
|
|||
From c2c98ddde2665d12e34f17c4eac90832df720114 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Orsava <torsava@redhat.com>
|
||||
Date: Thu, 16 Jun 2016 18:56:18 +0200
|
||||
Subject: [PATCH] Raise an error when STARTTLS fails
|
||||
|
||||
CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344
|
||||
|
||||
Based on an upstream change by Benjamin Peterson <benjamin@python.org>
|
||||
- in changeset 101886:b3ce713fb9be 2.7
|
||||
- https://hg.python.org/cpython/rev/b3ce713fb9be
|
||||
---
|
||||
Lib/smtplib.py | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
|
||||
index 8388b98..e1651c0 100755
|
||||
--- a/Lib/smtplib.py
|
||||
+++ b/Lib/smtplib.py
|
||||
@@ -656,6 +656,11 @@ class SMTP:
|
||||
self.ehlo_resp = None
|
||||
self.esmtp_features = {}
|
||||
self.does_esmtp = 0
|
||||
+ else:
|
||||
+ # RFC 3207:
|
||||
+ # 501 Syntax error (no parameters allowed)
|
||||
+ # 454 TLS not available due to temporary reason
|
||||
+ raise SMTPResponseException(resp, reply)
|
||||
return (resp, reply)
|
||||
|
||||
def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
|
||||
--
|
||||
2.5.5
|
||||
|
18
python.spec
18
python.spec
|
@ -108,7 +108,7 @@ Summary: An interpreted, interactive, object-oriented programming language
|
|||
Name: %{python}
|
||||
# Remember to also rebase python-docs when changing this:
|
||||
Version: 2.7.11
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: Python
|
||||
Group: Development/Languages
|
||||
Requires: %{python}-libs%{?_isa} = %{version}-%{release}
|
||||
|
@ -917,6 +917,14 @@ Patch200: 00200-skip-thread-test.patch
|
|||
# FIXED UPSTREAM
|
||||
Patch201: 00201-prevent-buffer-overflow-in-zipimport-module.patch
|
||||
|
||||
# 00210 #
|
||||
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
# rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344
|
||||
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/b3ce713fb9be
|
||||
# Raise an error when STARTTLS fails
|
||||
Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
|
||||
|
||||
# (New patches go here ^^^)
|
||||
#
|
||||
# When adding new patches to "python" and "python3" in Fedora 17 onwards,
|
||||
|
@ -1282,6 +1290,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c
|
|||
%endif
|
||||
%patch200 -p1
|
||||
%patch201 -p1
|
||||
%patch210 -p1
|
||||
|
||||
|
||||
# This shouldn't be necesarry, but is right now (2.2a3)
|
||||
|
@ -2133,6 +2142,13 @@ rm -fr %{buildroot}
|
|||
# ======================================================
|
||||
|
||||
%changelog
|
||||
* Thu Jun 16 2016 Tomas Orsava <torsava@redhat.com> - 2.7.11-6
|
||||
- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||
- Raise an error when STARTTLS fails
|
||||
- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||
- rhbz#1346344: https://bugzilla.redhat.com/show_bug.cgi?id=1346344
|
||||
- Fixed upstream: https://hg.python.org/cpython/rev/b3ce713fb9be
|
||||
|
||||
* Mon Jun 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.7.11-5
|
||||
- Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data()
|
||||
|
||||
|
|
Loading…
Reference in New Issue