packages/python-aiosmtpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-34083

Browse Source 
(cherry picked from commit 343793bcda86d5f48a160a44d0e666c96f06445a)
This commit is contained in:
lvfei 2024-05-20 09:04:09 +08:00 committed by openeuler-sync-bot
parent dce6110fc0
commit e8baf51b0a
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
CVE-2024-34083.patch Normal file
View File

@ -0,0 +1,43 @@
From 0360116a634a842b2bbe93528284679587a7c6c2 Mon Sep 17 00:00:00 2001
From: Arusekk <Arusekk@aio-libs>
Date: Mon, 20 May 2024 08:57:18 +0800
Subject: [PATCH] CVE-2024-34083
---
aiosmtpd/docs/NEWS.rst | 5 +++++
aiosmtpd/smtp.py | 3 +++
2 files changed, 8 insertions(+)
diff --git a/aiosmtpd/docs/NEWS.rst b/aiosmtpd/docs/NEWS.rst
index 875ead0..fa8089b 100644
--- a/aiosmtpd/docs/NEWS.rst
+++ b/aiosmtpd/docs/NEWS.rst
@@ -15,6 +15,11 @@ Fixed/Improved
* All Controllers now have more rationale design, as they are now composited from a Base + a Mixin
* A whole bunch of annotations
+1.4.6 (2024-05-06)
+==================
+
+* STARTTLS is now fully enforced if used.
+
1.4.4 (2023-01-17)
==================
diff --git a/aiosmtpd/smtp.py b/aiosmtpd/smtp.py
index 09c85bf..8a20d13 100644
--- a/aiosmtpd/smtp.py
+++ b/aiosmtpd/smtp.py
@@ -504,6 +504,9 @@ class SMTP(asyncio.StreamReaderProtocol):
self._reader._transport = transport
self._writer._transport = transport
self.transport = transport
+ # Discard any leftover unencrypted data
+ # See https://tools.ietf.org/html/rfc3207#page-7
+ self._reader._buffer.clear() # type: ignore[attr-defined]
# Do SSL certificate checking as rfc3207 part 4.1 says. Why is
# _extra a protected attribute?
self.session.ssl = self._tls_protocol._extra
--
2.27.0

6
python-aiosmtpd.spec
View File

@ -1,12 +1,13 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-aiosmtpd Name: python-aiosmtpd
Version: 1.4.4 Version: 1.4.4
Release: 2 Release: 3
Summary: aiosmtpd - asyncio based SMTP server Summary: aiosmtpd - asyncio based SMTP server
License: Apache 2.0 License: Apache 2.0
URL: https://github.com/aio-libs/aiosmtpd URL: https://github.com/aio-libs/aiosmtpd
Source0: https://github.com/aio-libs/aiosmtpd/archive/%{version}.tar.gz#/aiosmtpd-%{version}.tar.gz Source0: https://github.com/aio-libs/aiosmtpd/archive/%{version}.tar.gz#/aiosmtpd-%{version}.tar.gz
Patch0: CVE-2024-27305.patch Patch0: CVE-2024-27305.patch
Patch1: CVE-2024-34083.patch
BuildArch: noarch BuildArch: noarch
@ -72,6 +73,9 @@ mv %{buildroot}/doclist.lst .
%{_pkgdocdir} %{_pkgdocdir}
%changelog %changelog
* Mon May 20 2024 lvfei <lvfei@kylinos.cn> - 1.4.4-3
- Fix CVE-2024-34083
* Wed Mar 13 2024 wangkai <13474090681@163.com> - 1.4.4-2 * Wed Mar 13 2024 wangkai <13474090681@163.com> - 1.4.4-2
- Fix CVE-2024-27305 - Fix CVE-2024-27305