[3.3] bpo-30585: [security] raise an error when STARTTLS fails (#225)

author Victor Stinner <victor.stinner@gmail.com>

Wed, 19 Jul 2017 00:44:38 +0000 (02:44 +0200)

committer Ned Deily <nad@python.org>

Wed, 19 Jul 2017 00:44:38 +0000 (20:44 -0400)
author Victor Stinner <victor.stinner@gmail.com>
Wed, 19 Jul 2017 00:44:38 +0000 (02:44 +0200)
committer Ned Deily <nad@python.org>
Wed, 19 Jul 2017 00:44:38 +0000 (20:44 -0400)
diff --git a/Lib/smtplib.py b/Lib/smtplib.py

index 57f181b986d47b7e07e326486b5a61f3f5c4f2c6..5656cc64587252272b229254438f5665ded492f0 100755 (executable)
--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@@ -680,6 +680,11 @@ class SMTP:
              self.ehlo_resp = None
              self.esmtp_features = {}
              self.does_esmtp = 0
+        else:
+            # RFC 3207:
+            # 501 Syntax error (no parameters allowed)
+            # 454 TLS not available due to temporary reason
+            raise SMTPResponseException(resp, reply)
          return (resp, reply)
  
      def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
diff --git a/Misc/NEWS b/Misc/NEWS

index d3a0e530143e90c1b730fcf4d84533e86b909ee2..29065b8e32c457dcbe059e2f8cd89b19674274fa 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -35,6 +35,9 @@ Core and Builtins
  Library
  -------
  
+- [Security] bpo-30585: Fix TLS stripping vulnerability in smptlib,
+  CVE-2016-0772.  Reported by Team Oststrom
+
  - [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes
    of multiple security vulnerabilities including: CVE-2017-9233 (External
    entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),
author	Victor Stinner <victor.stinner@gmail.com>
	Wed, 19 Jul 2017 00:44:38 +0000 (02:44 +0200)
committer	Ned Deily <nad@python.org>
	Wed, 19 Jul 2017 00:44:38 +0000 (20:44 -0400)
Lib/smtplib.py		patch \| blob \| blame \| history
Misc/NEWS		patch \| blob \| blame \| history