Bug 1221328 (CVE-2024-27305)

Summary: VUL-0: CVE-2024-27305: python-aiosmtpd: SMTP smuggling
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, mcepl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/397387/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-13 08:33:39 UTC 
aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27305
https://www.postfix.org/smtp-smuggling.html
https://www.cve.org/CVERecord?id=CVE-2024-27305
https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
https://bugzilla.redhat.com/show_bug.cgi?id=2269311

Patch:
https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
Comment 1 Andrea Mattiazzo 2024-03-13 08:34:28 UTC 
Tracking as affected:
- openSUSE:Backports:SLE-15-SP4/python-aiosmtpd  1.2.1
- openSUSE:Backports:SLE-15-SP5/python-aiosmtpd  1.2.1
- openSUSE:Factory/python-aiosmtpd               1.4.4
Comment 2 Andrea Mattiazzo 2024-03-13 08:36:03 UTC 
(In reply to Andrea Mattiazzo from comment #1)
> Tracking as affected:
> - openSUSE:Backports:SLE-15-SP4/python-aiosmtpd  1.2.1
> - openSUSE:Backports:SLE-15-SP5/python-aiosmtpd  1.2.1
> - openSUSE:Factory/python-aiosmtpd               1.4.4

Errata: openSUSE:Backports:SLE-15-SP4 could be left out since it is in EOS
Comment 3 OBSbugzilla Bot 2024-03-13 17:35:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1157672 Factory / python-aiosmtpd
Comment 4 OBSbugzilla Bot 2024-03-14 15:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1157995 Backports:SLE-15-SP6 / python-aiosmtpd
https://build.opensuse.org/request/show/1157996 Backports:SLE-15-SP5 / python-aiosmtpd
Comment 5 OBSbugzilla Bot 2024-04-01 13:05:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1163948 Backports:SLE-15-SP6 / python-aiosmtpd
Comment 6 OBSbugzilla Bot 2024-05-20 12:05:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1175332 Backports:SLE-15-SP5 / python-aiosmtpd
Comment 7 OBSbugzilla Bot 2024-05-27 14:15:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1177142 Backports:SLE-15-SP5 / python-aiosmtpd