Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647)
Raise an error when STARTTLS fails. - rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 - rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345 - Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394
This commit is contained in:
parent
5279a7c9ec
commit
8f231d01cd
35
00210-Raise-an-error-when-STARTTLS-fails.patch
Normal file
35
00210-Raise-an-error-when-STARTTLS-fails.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From 761db274ca898f8a92348ed5979d3d3c1b0d634a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Tomas Orsava <torsava@redhat.com>
|
||||||
|
Date: Fri, 17 Jun 2016 16:08:11 +0200
|
||||||
|
Subject: [PATCH] Raise an error when STARTTLS fails
|
||||||
|
|
||||||
|
CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||||
|
rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||||
|
rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||||
|
|
||||||
|
Based on an upstream change by Benjamin Peterson <benjamin@python.org>
|
||||||
|
- in changeset 101887:d590114c2394 3.4
|
||||||
|
- https://hg.python.org/cpython/rev/d590114c2394
|
||||||
|
---
|
||||||
|
Lib/smtplib.py | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
|
||||||
|
index 4756973..dfbf5f9 100755
|
||||||
|
--- a/Lib/smtplib.py
|
||||||
|
+++ b/Lib/smtplib.py
|
||||||
|
@@ -773,6 +773,11 @@ class SMTP:
|
||||||
|
self.ehlo_resp = None
|
||||||
|
self.esmtp_features = {}
|
||||||
|
self.does_esmtp = 0
|
||||||
|
+ else:
|
||||||
|
+ # RFC 3207:
|
||||||
|
+ # 501 Syntax error (no parameters allowed)
|
||||||
|
+ # 454 TLS not available due to temporary reason
|
||||||
|
+ raise SMTPResponseException(resp, reply)
|
||||||
|
return (resp, reply)
|
||||||
|
|
||||||
|
def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
|
||||||
|
--
|
||||||
|
2.5.5
|
||||||
|
|
18
python3.spec
18
python3.spec
@ -112,7 +112,7 @@
|
|||||||
Summary: Version 3 of the Python programming language aka Python 3000
|
Summary: Version 3 of the Python programming language aka Python 3000
|
||||||
Name: python3
|
Name: python3
|
||||||
Version: %{pybasever}.1
|
Version: %{pybasever}.1
|
||||||
Release: 8%{?dist}
|
Release: 9%{?dist}
|
||||||
License: Python
|
License: Python
|
||||||
Group: Development/Languages
|
Group: Development/Languages
|
||||||
|
|
||||||
@ -430,6 +430,14 @@ Patch208: 00208-disable-test_with_pip-on-ppc.patch
|
|||||||
# FIXED UPSTREAM
|
# FIXED UPSTREAM
|
||||||
Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch
|
Patch209: 00209-prevent-buffer-overflow-in-zipimport-module.patch
|
||||||
|
|
||||||
|
# 00210 #
|
||||||
|
# CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||||
|
# rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||||
|
# rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||||
|
# FIXED UPSTREAM: https://hg.python.org/cpython/rev/d590114c2394
|
||||||
|
# Raise an error when STARTTLS fails
|
||||||
|
Patch210: 00210-Raise-an-error-when-STARTTLS-fails.patch
|
||||||
|
|
||||||
# add correct arch for ppc64/ppc64le
|
# add correct arch for ppc64/ppc64le
|
||||||
# it should be ppc64le-linux-gnu/ppc64-linux-gnu instead powerpc64le-linux-gnu/powerpc64-linux-gnu
|
# it should be ppc64le-linux-gnu/ppc64-linux-gnu instead powerpc64le-linux-gnu/powerpc64-linux-gnu
|
||||||
Patch5001: python3-powerppc-arch.patch
|
Patch5001: python3-powerppc-arch.patch
|
||||||
@ -658,6 +666,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
|
|||||||
%patch207 -p1
|
%patch207 -p1
|
||||||
%patch208 -p1
|
%patch208 -p1
|
||||||
%patch209 -p1
|
%patch209 -p1
|
||||||
|
%patch210 -p1
|
||||||
|
|
||||||
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
|
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
|
||||||
# are many differences between 2.6 and the Python 3 library.
|
# are many differences between 2.6 and the Python 3 library.
|
||||||
@ -1559,6 +1568,13 @@ rm -fr %{buildroot}
|
|||||||
# ======================================================
|
# ======================================================
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 16 2016 Tomas Orsava <torsava@redhat.com> - 3.5.1-9
|
||||||
|
- Fix for: CVE-2016-0772 python: smtplib StartTLS stripping attack
|
||||||
|
- Raise an error when STARTTLS fails
|
||||||
|
- rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647
|
||||||
|
- rhbz#1346345: https://bugzilla.redhat.com/show_bug.cgi?id=1346345
|
||||||
|
- Fixed upstream: https://hg.python.org/cpython/rev/d590114c2394
|
||||||
|
|
||||||
* Mon Jun 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.1-8
|
* Mon Jun 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.1-8
|
||||||
- Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data()
|
- Added patch for fixing possible integer overflow and heap corruption in zipimporter.get_data()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user