Security update for python-aiosmtpd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0243-1 Final 1 1 2024-08-16T04:02:47Z current 2024-08-16T04:02:47Z 2024-08-16T04:02:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for python-aiosmtpd This update for python-aiosmtpd fixes the following issues: - CVE-2024-34083: Fixed MiTM attack could inject extra unencrypted commands after STARTTLS (boo#1224467) - CVE-2024-27305: Fixed SMTP smuggling (boo#1221328) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-243 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/G642S3M3RN5DHIPCAJBHQAPH7Q6QWPX2/ E-Mail link for openSUSE-SU-2024:0243-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1221328 SUSE Bug 1221328 https://bugzilla.suse.com/1224467 SUSE Bug 1224467 https://www.suse.com/security/cve/CVE-2024-27305/ SUSE CVE CVE-2024-27305 page https://www.suse.com/security/cve/CVE-2024-34083/ SUSE CVE CVE-2024-34083 page SUSE Package Hub 15 SP5 openSUSE Leap 15.5 python3-aiosmtpd-1.2.1-bp155.3.3.1 python3-aiosmtpd-1.2.1-bp155.3.3.1 as a component of SUSE Package Hub 15 SP5 python3-aiosmtpd-1.2.1-bp155.3.3.1 as a component of openSUSE Leap 15.5 aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. CVE-2024-27305 SUSE Package Hub 15 SP5:python3-aiosmtpd-1.2.1-bp155.3.3.1 openSUSE Leap 15.5:python3-aiosmtpd-1.2.1-bp155.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/G642S3M3RN5DHIPCAJBHQAPH7Q6QWPX2/ https://www.suse.com/security/cve/CVE-2024-27305.html CVE-2024-27305 https://bugzilla.suse.com/1221328 SUSE Bug 1221328 aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue. CVE-2024-34083 SUSE Package Hub 15 SP5:python3-aiosmtpd-1.2.1-bp155.3.3.1 openSUSE Leap 15.5:python3-aiosmtpd-1.2.1-bp155.3.3.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/G642S3M3RN5DHIPCAJBHQAPH7Q6QWPX2/ https://www.suse.com/security/cve/CVE-2024-34083.html CVE-2024-34083 https://bugzilla.suse.com/1224467 SUSE Bug 1224467