diff options
author | Tomas Orsava <torsava@redhat.com> | 2016-07-08 12:21:18 +0200 |
---|---|---|
committer | Tomas Orsava <torsava@redhat.com> | 2016-07-08 12:21:18 +0200 |
commit | cf658381d6b9733d80c6a14a21b7627636f33bf0 (patch) | |
tree | 0ed148158f6e90663319b35a80ab56a5fe7ffcd7 /00237-CVE-2016-0772-smtplib.patch | |
parent | 678bf2ba6a49de4fc1b6a4d14f84265813f9db87 (diff) | |
download | python34-cf658381d6b9733d80c6a14a21b7627636f33bf0.tar.gz python34-cf658381d6b9733d80c6a14a21b7627636f33bf0.tar.xz python34-cf658381d6b9733d80c6a14a21b7627636f33bf0.zip |
Fix CVE-2016-0772 and CVE-2016-5699 (rhbz#1348973, rhbz#1348982)
CVE-2016-0772 python: smtplib StartTLS stripping attack (rhbz#1303647)
Raise an error when STARTTLS fails (upstream patch)
CVE-2016-5699 python: http protocol steam injection attack (rhbz#1303699)
Disabled HTTP header injections in http.client (upstream patch)
Diffstat (limited to '00237-CVE-2016-0772-smtplib.patch')
-rw-r--r-- | 00237-CVE-2016-0772-smtplib.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/00237-CVE-2016-0772-smtplib.patch b/00237-CVE-2016-0772-smtplib.patch new file mode 100644 index 0000000..d3213bd --- /dev/null +++ b/00237-CVE-2016-0772-smtplib.patch @@ -0,0 +1,34 @@ +From 5b67aca6fb4246e84981d6361ba218bd52e73ac2 Mon Sep 17 00:00:00 2001 +From: Tomas Orsava <torsava@redhat.com> +Date: Tue, 21 Jun 2016 15:52:03 +0200 +Subject: [PATCH] Raise an error when STARTTLS fails + +CVE-2016-0772 python: smtplib StartTLS stripping attack +rhbz#1303647: https://bugzilla.redhat.com/show_bug.cgi?id=1303647 + +Based on an upstream change by Benjamin Peterson <benjamin@python.org> +- in changeset 101887:d590114c2394 3.4 +- https://hg.python.org/cpython/rev/d590114c2394 +--- + Lib/smtplib.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/Lib/smtplib.py b/Lib/smtplib.py +index dc16ef6..8bc806b 100755 +--- a/Lib/smtplib.py ++++ b/Lib/smtplib.py +@@ -655,6 +655,11 @@ class SMTP: + self.ehlo_resp = None + self.esmtp_features = {} + self.does_esmtp = 0 ++ else: ++ # RFC 3207: ++ # 501 Syntax error (no parameters allowed) ++ # 454 TLS not available due to temporary reason ++ raise SMTPResponseException(resp, reply) + return (resp, reply) + + def sendmail(self, from_addr, to_addrs, msg, mail_options=[], +-- +2.5.5 + |