Your message dated Sun, 09 Jun 2024 17:55:15 +0000
with message-id <e1sgml9-00cwd5...@fasolo.debian.org>
and subject line Bug#1072119: fixed in python-aiosmtpd 1.4.6-1
has caused the Debian Bug report #1072119,
regarding python-aiosmtpd: CVE-2024-34083
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072119
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-aiosmtpd
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-aiosmtpd.
CVE-2024-34083[0]:
| aiosmptd is a reimplementation of the Python stdlib smtpd.py based
| on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept
| extra unencrypted commands after STARTTLS, treating them as if they
| came from inside the encrypted connection. This could be exploited
| by a man-in-the-middle attack. Version 1.4.6 contains a patch for
| the issue.
https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
(v1.4.6)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-34083
https://www.cve.org/CVERecord?id=CVE-2024-34083
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-aiosmtpd
Source-Version: 1.4.6-1
Done: Jakob Haufe <su...@debian.org>
We believe that the bug you reported is fixed in the latest version of
python-aiosmtpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jakob Haufe <su...@debian.org> (supplier of updated python-aiosmtpd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 09 Jun 2024 19:24:43 +0200
Source: python-aiosmtpd
Architecture: source
Version: 1.4.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Jakob Haufe <su...@debian.org>
Closes: 1066820 1072119
Changes:
python-aiosmtpd (1.4.6-1) unstable; urgency=medium
.
[ Dale Richards ]
* Team upload.
* New upstream version 1.4.6
- CVE-2024-27305 - SMTP smuggling due to poor handling of
non-standard line endings (Closes: #1066820)
- CVE-2024-34083 - STARTTLS unencrypted command injection
(Closes: #1072119)
* d/watch: Update for new version format.
* Update patch line offsets for new upstream version.
* Add .gitattributes file to use CRLF line endings for
aiosmtpd/tests/test_smtpsmuggling.py, so the checked out file matches
the one in the upstream release tarball.
* Bump Standards-Version to 4.7.0, no changes needed.
Checksums-Sha1:
90e3401186c0cd0a417f33938cb96d3ea0bb588b 2252 python-aiosmtpd_1.4.6-1.dsc
3635c0bb5dd42c587753c7772a453977e7f643b7 153666
python-aiosmtpd_1.4.6.orig.tar.gz
40bb6ef9e9e8a4910c923c11e0837ac4658e06e2 6988
python-aiosmtpd_1.4.6-1.debian.tar.xz
e135c2e5b99b03f0400a7cad6ce697e15c2bf6c0 7308
python-aiosmtpd_1.4.6-1_source.buildinfo
Checksums-Sha256:
bc94ce2679039eb6264cb0c7d15774f322a306db86544b0b979aacbef3cb6f33 2252
python-aiosmtpd_1.4.6-1.dsc
297d28b1b57da9debe5c0f8815fc153cd17605120a59f6200735a720445c5337 153666
python-aiosmtpd_1.4.6.orig.tar.gz
06b589629f1656b625ae19ba5861129abf97e92fd0643b4a83d9aad596e67dfa 6988
python-aiosmtpd_1.4.6-1.debian.tar.xz
f3ceb954f351d2525a637b7f80a99dc9ee5191f8c5effa8c297ad2a51aae3739 7308
python-aiosmtpd_1.4.6-1_source.buildinfo
Files:
883580e39e6c0957a3aa24826a0e2d93 2252 python optional
python-aiosmtpd_1.4.6-1.dsc
6e8c6828395c3e5a37573e693d4c0e29 153666 python optional
python-aiosmtpd_1.4.6.orig.tar.gz
0c6ea50cc2995c7e34042a6c064d11d7 6988 python optional
python-aiosmtpd_1.4.6-1.debian.tar.xz
6ade3b26bd102fcffead9caa149696f7 7308 python optional
python-aiosmtpd_1.4.6-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEEe/X2rDZDH11A3BN6TPKyGPVNrj0FAmZl5aoRHHN1cjVyQGRl
Ymlhbi5vcmcACgkQTPKyGPVNrj28QxAAr39as3Cw1yc2gIKYJbPdk+63ICAk40cu
9bXMD8TvkTSso4txlLvASHTABehiD1lqrPGnSSQoOYgpUUg634QLl+DmjATXxFYT
32WLJ684XZR8fZP/KWAEWlOJN1luwZZgP+TvKQMRwHpfuvEJ/1iYPJdf/DcFO0sq
6pMj9TQMV27+DNWBZ4CFGb9OKZ1iE4JRpQnfj/pE4+I5j2zEq7nS+4xHVmKq6AQq
8mQMnqnFUebtjHJmNMQg/aDjWRQFx1N+UuuFUE6IxeYBNY5zl7MMjElB+F7Qkeww
u6OHsmq6sh+rU86mdUPr3PaIWTiQGi6ci5JxPzoBxOjLm/ERRvKg+7jtUE6kFfLc
otmOzmkiHsOeRPr2pT5Uw4SfBoKzN6rRf5Af32tkick/Ykr43AzKSHd8vgMeYSZX
wcruoa74NDTRVEJtwxtA4RL4yVWTczhiO2vmFMEwfiQ1a5ytyoNidotWrNRKN/Bx
2twabXxQrj9181CZbV7UZX/PVJByEA84yuuMUK7FjdC4yApBsfLKRnTVZMyRYjDK
Gl2XVchUxJh3V5IM1t6O1NnwZSRtlrEFwPFjB3wuZf8a8vdxlqxNM1ez1Z3JjTLW
xzjeRJlehyC3+CcY43/XcGsDQBgkvryzFRxu76iL2oQ8xIU6DggehhB7OkYha+Br
Rrc+MYYrl5A=
=Kf2p
-----END PGP SIGNATURE-----
pgp7uoC2ndV2e.pgp
Description: PGP signature
--- End Message ---
