From: Victor Stinner <victor.stinner@gmail.com>
Date: Wed, 19 Jul 2017 00:44:38 +0000 (+0200)
Subject: [3.3] bpo-30585: [security] raise an error when STARTTLS fails (#225)
X-Git-Tag: v3.3.7rc1~14
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3625f7fd11679ecb390ffa58ef36d487acc8159b;p=thirdparty%2FPython%2Fcpython.git

[3.3] bpo-30585: [security] raise an error when STARTTLS fails (#225)

(cherry picked from commit 46b32f307c48bcb999b22eebf65ffe8ed5cca544)
---

diff --git a/Lib/smtplib.py b/Lib/smtplib.py
index 57f181b986d4..5656cc645872 100755
--- a/Lib/smtplib.py
+++ b/Lib/smtplib.py
@@ -680,6 +680,11 @@ class SMTP:
             self.ehlo_resp = None
             self.esmtp_features = {}
             self.does_esmtp = 0
+        else:
+            # RFC 3207:
+            # 501 Syntax error (no parameters allowed)
+            # 454 TLS not available due to temporary reason
+            raise SMTPResponseException(resp, reply)
         return (resp, reply)
 
     def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
diff --git a/Misc/NEWS b/Misc/NEWS
index d3a0e530143e..29065b8e32c4 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -35,6 +35,9 @@ Core and Builtins
 Library
 -------
 
+- [Security] bpo-30585: Fix TLS stripping vulnerability in smptlib,
+  CVE-2016-0772.  Reported by Team Oststrom
+
 - [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes
   of multiple security vulnerabilities including: CVE-2017-9233 (External
   entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),