Your message dated Mon, 17 Jun 2024 16:47:35 +0000
with message-id <e1sjfw3-0007s6...@fasolo.debian.org>
and subject line Bug#1072119: fixed in python-aiosmtpd 1.2.2-1+deb11u1
has caused the Debian Bug report #1072119,
regarding python-aiosmtpd: CVE-2024-34083
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072119: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072119
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: python-aiosmtpd
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for python-aiosmtpd.
CVE-2024-34083[0]:
| aiosmptd is a reimplementation of the Python stdlib smtpd.py based
| on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept
| extra unencrypted commands after STARTTLS, treating them as if they
| came from inside the encrypted connection. This could be exploited
| by a man-in-the-middle attack. Version 1.4.6 contains a patch for
| the issue.
https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda
(v1.4.6)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-34083
https://www.cve.org/CVERecord?id=CVE-2024-34083
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: python-aiosmtpd
Source-Version: 1.2.2-1+deb11u1
Done: Dale Richards <d...@dalerichards.net>
We believe that the bug you reported is fixed in the latest version of
python-aiosmtpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dale Richards <d...@dalerichards.net> (supplier of updated python-aiosmtpd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 14 Jun 2024 14:09:42 +0100
Source: python-aiosmtpd
Architecture: source
Version: 1.2.2-1+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Python Team <team+pyt...@tracker.debian.org>
Changed-By: Dale Richards <d...@dalerichards.net>
Closes: 1066820 1072119
Changes:
python-aiosmtpd (1.2.2-1+deb11u1) bullseye; urgency=medium
.
* Team upload.
* CVE-2024-27305 - SMTP smuggling due to poor handling of
non-standard line endings (Closes: #1066820)
* CVE-2024-34083 - STARTTLS unencrypted command injection
(Closes: #1072119)
Checksums-Sha1:
d70a03089eb84129c4941773ca9cb76eaa887836 1584
python-aiosmtpd_1.2.2-1+deb11u1.dsc
aabe8dbe7e544e4873730780cf2c48b34117d11c 5376
python-aiosmtpd_1.2.2-1+deb11u1.debian.tar.xz
ed18d6b9d606ccfef24ed83db7a683cb08c9f443 7620
python-aiosmtpd_1.2.2-1+deb11u1_amd64.buildinfo
Checksums-Sha256:
accb80544ff605ea0abbbaefc054918b1a85c64237c97a48a2d3ad2a50a912ad 1584
python-aiosmtpd_1.2.2-1+deb11u1.dsc
7b238a09e4108462d9dd8ad9971f2a8dcabd7b752574073e4c1a21d9687ee467 5376
python-aiosmtpd_1.2.2-1+deb11u1.debian.tar.xz
50b87cc99c93a9d4e3731b12f9048199d266fa239251a11ccc809b6763bae1a7 7620
python-aiosmtpd_1.2.2-1+deb11u1_amd64.buildinfo
Files:
2ed2ffb8b9eb9378908d680aef231658 1584 python optional
python-aiosmtpd_1.2.2-1+deb11u1.dsc
9f2282e707f51d5b5635e983f09f77dd 5376 python optional
python-aiosmtpd_1.2.2-1+deb11u1.debian.tar.xz
e805cd46304aacc500b894b9d27b361c 7620 python optional
python-aiosmtpd_1.2.2-1+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRCYn6EHZln2oPh+pAhk2s2YA/NiQUCZm4BjwAKCRAhk2s2YA/N
iZ5iAQDmHFC75ydIOn75NexeMObtdg45Fmw/RCNCkhLuZRIDBwD8C+md/V5VbVcc
yu0j4f11M/IwA2mRs5WxEJ8c7t4eSQ4=
=jilf
-----END PGP SIGNATURE-----
pgpIAtjmF2zft.pgp
Description: PGP signature
--- End Message ---
