Fix CVE-2024-34083
(cherry picked from commit 343793bcda86d5f48a160a44d0e666c96f06445a)
This commit is contained in:
lvfei
openeuler-sync-bot
parent
dce6110fc0
commit
e8baf51b0a
43
CVE-2024-34083.patch
Normal file
43
CVE-2024-34083.patch
Normal file
@ -0,0 +1,43 @@
|
||||
From 0360116a634a842b2bbe93528284679587a7c6c2 Mon Sep 17 00:00:00 2001
|
||||
From: Arusekk <Arusekk@aio-libs>
|
||||
Date: Mon, 20 May 2024 08:57:18 +0800
|
||||
Subject: [PATCH] CVE-2024-34083
|
||||
|
||||
---
|
||||
aiosmtpd/docs/NEWS.rst | 5 +++++
|
||||
aiosmtpd/smtp.py | 3 +++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/aiosmtpd/docs/NEWS.rst b/aiosmtpd/docs/NEWS.rst
|
||||
index 875ead0..fa8089b 100644
|
||||
--- a/aiosmtpd/docs/NEWS.rst
|
||||
+++ b/aiosmtpd/docs/NEWS.rst
|
||||
@@ -15,6 +15,11 @@ Fixed/Improved
|
||||
* All Controllers now have more rationale design, as they are now composited from a Base + a Mixin
|
||||
* A whole bunch of annotations
|
||||
|
||||
+1.4.6 (2024-05-06)
|
||||
+==================
|
||||
+
|
||||
+* STARTTLS is now fully enforced if used.
|
||||
+
|
||||
|
||||
1.4.4 (2023-01-17)
|
||||
==================
|
||||
diff --git a/aiosmtpd/smtp.py b/aiosmtpd/smtp.py
|
||||
index 09c85bf..8a20d13 100644
|
||||
--- a/aiosmtpd/smtp.py
|
||||
+++ b/aiosmtpd/smtp.py
|
||||
@@ -504,6 +504,9 @@ class SMTP(asyncio.StreamReaderProtocol):
|
||||
self._reader._transport = transport
|
||||
self._writer._transport = transport
|
||||
self.transport = transport
|
||||
+ # Discard any leftover unencrypted data
|
||||
+ # See https://tools.ietf.org/html/rfc3207#page-7
|
||||
+ self._reader._buffer.clear() # type: ignore[attr-defined]
|
||||
# Do SSL certificate checking as rfc3207 part 4.1 says. Why is
|
||||
# _extra a protected attribute?
|
||||
self.session.ssl = self._tls_protocol._extra
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -1,12 +1,13 @@
|
||||
%global _empty_manifest_terminate_build 0
|
||||
Name: python-aiosmtpd
|
||||
Version: 1.4.4
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: aiosmtpd - asyncio based SMTP server
|
||||
License: Apache 2.0
|
||||
URL: https://github.com/aio-libs/aiosmtpd
|
||||
Source0: https://github.com/aio-libs/aiosmtpd/archive/%{version}.tar.gz#/aiosmtpd-%{version}.tar.gz
|
||||
Patch0: CVE-2024-27305.patch
|
||||
Patch1: CVE-2024-34083.patch
|
||||
BuildArch: noarch
|
||||
|
||||
|
||||
@ -72,6 +73,9 @@ mv %{buildroot}/doclist.lst .
|
||||
%{_pkgdocdir}
|
||||
|
||||
%changelog
|
||||
* Mon May 20 2024 lvfei <lvfei@kylinos.cn> - 1.4.4-3
|
||||
- Fix CVE-2024-34083
|
||||
|
||||
* Wed Mar 13 2024 wangkai <13474090681@163.com> - 1.4.4-2
|
||||
- Fix CVE-2024-27305
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user