Your message dated Sun, 16 Jun 2024 20:33:55 +0000
with message-id <e1siwzx-00dpdu...@fasolo.debian.org>
and subject line Bug#1072119: fixed in python-aiosmtpd 1.4.3-1.1+deb12u1
has caused the Debian Bug report #1072119,
regarding python-aiosmtpd: CVE-2024-34083
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072119
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-aiosmtpd
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-aiosmtpd.
CVE-2024-34083[0]:
| aiosmptd is a reimplementation of the Python stdlib smtpd.py based
| on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept
| extra unencrypted commands after STARTTLS, treating them as if they
| came from inside the encrypted connection. This could be exploited
| by a man-in-the-middle attack. Version 1.4.6 contains a patch for
| the issue.
https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
(v1.4.6)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-34083
https://www.cve.org/CVERecord?id=CVE-2024-34083
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-aiosmtpd
Source-Version: 1.4.3-1.1+deb12u1
Done: Dale Richards <d...@dalerichards.net>
We believe that the bug you reported is fixed in the latest version of
python-aiosmtpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dale Richards <d...@dalerichards.net> (supplier of updated python-aiosmtpd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 07 Jun 2024 18:11:07 +0100
Source: python-aiosmtpd
Architecture: source
Version: 1.4.3-1.1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Dale Richards <d...@dalerichards.net>
Closes: 1066820 1072119
Changes:
python-aiosmtpd (1.4.3-1.1+deb12u1) bookworm; urgency=medium
.
* Team upload.
* CVE-2024-27305 - SMTP smuggling due to poor handling of
non-standard line endings (Closes: #1066820)
* CVE-2024-34083 - STARTTLS unencrypted command injection
(Closes: #1072119)
Checksums-Sha1:
cb36d7d5f9cd1ccbd185c366a30a98d820e450f9 1749
python-aiosmtpd_1.4.3-1.1+deb12u1.dsc
8289a4a463480409bdbb7de278c64d2758e2c765 8284
python-aiosmtpd_1.4.3-1.1+deb12u1.debian.tar.xz
5b8a64471b897c3acc5da79d56a8d547c2bc1efc 8025
python-aiosmtpd_1.4.3-1.1+deb12u1_amd64.buildinfo
Checksums-Sha256:
38fba69e015b3714538e1631527d58128a80da9f1bfd117615ad9af8c3262d30 1749
python-aiosmtpd_1.4.3-1.1+deb12u1.dsc
49575e4c600f9bc163c55eaa63b538424d91d59ae3e7f78d3a36e846f1634a5f 8284
python-aiosmtpd_1.4.3-1.1+deb12u1.debian.tar.xz
5ad89bbe2c114adf1911f6265adb0715c90cd3741334e22842dbe8ab37f8da81 8025
python-aiosmtpd_1.4.3-1.1+deb12u1_amd64.buildinfo
Files:
95a28ef5382cc3dc9eea2585f550d779 1749 python optional
python-aiosmtpd_1.4.3-1.1+deb12u1.dsc
d23c37df88f1b216446adac4fb498347 8284 python optional
python-aiosmtpd_1.4.3-1.1+deb12u1.debian.tar.xz
957a3929587044cdf56e09c3991ca8db 8025 python optional
python-aiosmtpd_1.4.3-1.1+deb12u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRCYn6EHZln2oPh+pAhk2s2YA/NiQUCZm4EYAAKCRAhk2s2YA/N
iTkDAP48+0l9GiCX6t5fj65cWuju8FdeQNJlekOo8Rjg/MkJBQEAiRaFT9engju+
cnaNnpAn2Yt5GcQI5k9icSC/o1ARMg0=
=CBjI
-----END PGP SIGNATURE-----
pgpE7ncG3ujwY.pgp
Description: PGP signature
--- End Message ---
