Source: python-aiosmtpd X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerability was published for python-aiosmtpd. CVE-2024-34083[0]: | aiosmptd is a reimplementation of the Python stdlib smtpd.py based | on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept | extra unencrypted commands after STARTTLS, treating them as if they | came from inside the encrypted connection. This could be exploited | by a man-in-the-middle attack. Version 1.4.6 contains a patch for | the issue. https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda (v1.4.6) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34083 https://www.cve.org/CVERecord?id=CVE-2024-34083 Please adjust the affected versions in the BTS as needed.