The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Python: TLS disabling in smtplib

Synthesis of the vulnerability

An attacker can make the creation of a TLS tunnel by the smtplib module of Python, in order to read sent mails.
Severity of this announce: 1/4.
Creation date: 16/06/2016.
Références of this computer vulnerability: bulletinjul2016, CVE-2016-0772, DLA-1663-1, DLA-522-1, DLA-871-1, DSA-2019-131, FEDORA-2016-105b80d1be, FEDORA-2016-13be2ee499, FEDORA-2016-2869023091, FEDORA-2016-34ca5273e9, FEDORA-2016-5c52dcfe47, FEDORA-2016-6c2b74bb96, FEDORA-2016-a0853405eb, FEDORA-2016-aae6bb9433, FEDORA-2016-b046b56518, FEDORA-2016-e37f15a5f4, FEDORA-2016-ef784cf9f7, openSUSE-SU-2016:1885-1, openSUSE-SU-2016:2120-1, RHSA-2016:1626-01, RHSA-2016:1627-01, RHSA-2016:1628-01, RHSA-2016:1629-01, RHSA-2016:1630-01, SP-CAAAPSR, SPL-128812, SUSE-SU-2019:0223-1, USN-3134-1, VIGILANCE-VUL-19915.

Description of the vulnerability

The Python library includes a SMTP client.

This library enables a TLS tunnel. However, it does not check the status code of the STARTTLS command and accept to continue the SMTP session in plain text. An attacker who can hijack the traffic can insert an error after the STARTTLS command to disable the encryption.

An attacker can therefore make the creation of a TLS tunnel by the smtplib module of Python, in order to read sent mails.
Full Vigil@nce bulletin... (Free trial)

This computer threat bulletin impacts software or systems such as Debian, VNX Operating Environment, VNX Series, Fedora, openSUSE, openSUSE Leap, Solaris, Python, RHEL, Splunk Enterprise, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this security threat is low.

The trust level is of type confirmed by the editor, with an origin of LAN.

An attacker with a expert ability can exploit this computer vulnerability alert.

Solutions for this threat

Python: version 3.4.5.
The version 3.4.5 is fixed:
  https://www.python.org/ftp/python/3.4.5/Python-3.4.5.tgz

Python: version 3.5.2.
The version 3.5.2 is fixed:
  https://www.python.org/ftp/python/3.5.2/Python-3.5.2.tgz

Python: version 2.7.12.
The version 2.7.12 is fixed:
  https://www.python.org/downloads/release/python-2712/

Python: patch for smtplib.
A patch is available:
  Python 2.7: https://hg.python.org/cpython/raw-rev/b3ce713fb9be
  Python 3.4: https://hg.python.org/cpython/raw-rev/d590114c2394

Debian 7: new python3.2 packages.
New packages are available:
  Debian 7: python3.2 3.2.3-7+deb7u1

Debian 8: new python3.4 packages.
New packages are available:
  Debian 8: python3.4 3.4.2-1+deb8u2

Debian: new python2.7 packages.
New packages are available:
  Debian 7: python2.7 2.7.3-6+deb7u3

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

Fedora 22: new python3 packages.
New packages are available:
  Fedora 22: python3 3.4.2-8.fc22

Fedora 23: new python3 packages.
New packages are available:
  Fedora 23: python3 3.4.3-9.fc23

Fedora 24: new python3 packages.
New packages are available:
  Fedora 24: python3 3.5.1-9.fc24

Fedora: new pypy3 packages.
New packages are available:
  Fedora 22: pypy3 2.4.0-3.fc22
  Fedora 23: pypy3 2.4.0-3.fc23
  Fedora 24: pypy3 2.4.0-6.fc24

Fedora: new pypy packages.
New packages are available:
  Fedora 24: pypy 5.0.1-3.fc24
  Fedora 23: pypy 4.0.1-3.fc23

Fedora: new python packages.
New packages are available:
  Fedora 22: python 2.7.10-10.fc22
  Fedora 23: python 2.7.11-5.fc23
  Fedora 24: python 2.7.11-6.fc24

openSUSE: new python3 packages.
New packages are available:
  openSUSE 13.2: python3 3.4.5-4.4.1
  openSUSE Leap 42.1: python3 3.4.5-8.1

openSUSE: new python packages.
New packages are available:
  openSUSE 13.2: python 2.7.12-3.1
  openSUSE Leap 42.1: python 2.7.12-23.1

RHEL 7: new rh-python35-python packages.
New packages are available:
  RHEL 7: rh-python35-python 3.5.1-9.el7

RHEL: new python27-python packages.
New packages are available:
  RHEL 6: python27-python 2.7.8-18.el6
  RHEL 7: python27-python 2.7.8-16.el7

RHEL: new python33-python packages.
New packages are available:
  RHEL 6: python33-python 3.3.2-18.el6
  RHEL 7: python33-python 3.3.2-16.el7

RHEL: new python packages.
New packages are available:
  RHEL 6: python 2.6.6-66.el6_8
  RHEL 7: python 2.7.5-38.el7_2

RHEL: new rh-python34-python packages.
New packages are available:
  RHEL 6: rh-python34-python 3.4.2-14.el6

Solaris: patch for third party software of July 2016 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Splunk Enterprise: versions 6.5.0, 6.4.5, 6.3.8, 6.2.12, 6.1.12, 6.0.13 and 5.0.17.
Versions 6.5.0, 6.4.5, 6.3.8, 6.2.12, 6.1.12, 6.0.13 and 5.0.17 are fixed:
  http://www.splunk.com/en_us/homepage.html

SUSE LE 12 RTM: new python packages.
New packages are available:
  SUSE LE 12 RTM: python 2.7.9-16.7.1

Ubuntu: new python packages.
New packages are available:
  Ubuntu 16.04 LTS: python2.7 2.7.12-1ubuntu0~16.04.1, python3.5 3.5.2-2ubuntu0~16.04.1
  Ubuntu 14.04 LTS: python2.7 2.7.6-8ubuntu0.3, python3.4 3.4.3-1ubuntu1~14.04.5
  Ubuntu 12.04 LTS: python2.7 2.7.3-0ubuntu3.9, python3.2 3.2.3-0ubuntu3.8
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides cybersecurity announces. The Vigil@nce vulnerability database contains several thousand vulnerabilities.