Source: python-aiosmtpd Version: 1.4.4.post2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for python-aiosmtpd. CVE-2024-27305[0]: | aiosmtpd is a reimplementation of the Python stdlib smtpd.py based | on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP | smuggling is a novel vulnerability based on not so novel | interpretation differences of the SMTP protocol. By exploiting SMTP | smuggling, an attacker may send smuggle/spoof e-mails with fake | sender addresses, allowing advanced phishing attacks. This issue is | also existed in other SMTP software like Postfix. With the right | SMTP server constellation, an attacker can send spoofed e-mails to | inbound/receiving aiosmtpd instances. This issue has been addressed | in version 1.4.5. Users are advised to upgrade. There are no known | workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27305 https://www.cve.org/CVERecord?id=CVE-2024-27305 [1] https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65 [2] https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb Please adjust the affected versions in the BTS as needed. Regards, Salvatore