1221328 – (CVE-2024-27305) VUL-0: CVE-2024-27305: python-aiosmtpd: SMTP smuggling

Bug 1221328 (CVE-2024-27305) - VUL-0: CVE-2024-27305: python-aiosmtpd: SMTP smuggling

Summary: VUL-0: CVE-2024-27305: python-aiosmtpd: SMTP smuggling

Status:	IN_PROGRESS

Alias:	CVE-2024-27305

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/397387/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-13 08:33 UTC by SMASH SMASH
Modified:	2024-05-27 14:15 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-03-13 08:33:39 UTC

aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-27305
https://www.postfix.org/smtp-smuggling.html
https://www.cve.org/CVERecord?id=CVE-2024-27305
https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
https://bugzilla.redhat.com/show_bug.cgi?id=2269311

Patch:
https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb

Comment 1 Andrea Mattiazzo 2024-03-13 08:34:28 UTC

Tracking as affected:
- openSUSE:Backports:SLE-15-SP4/python-aiosmtpd  1.2.1
- openSUSE:Backports:SLE-15-SP5/python-aiosmtpd  1.2.1
- openSUSE:Factory/python-aiosmtpd               1.4.4

Comment 2 Andrea Mattiazzo 2024-03-13 08:36:03 UTC

(In reply to Andrea Mattiazzo from comment #1)
> Tracking as affected:
> - openSUSE:Backports:SLE-15-SP4/python-aiosmtpd  1.2.1
> - openSUSE:Backports:SLE-15-SP5/python-aiosmtpd  1.2.1
> - openSUSE:Factory/python-aiosmtpd               1.4.4

Errata: openSUSE:Backports:SLE-15-SP4 could be left out since it is in EOS

Comment 3 OBSbugzilla Bot 2024-03-13 17:35:07 UTC

This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1157672 Factory / python-aiosmtpd

Comment 4 OBSbugzilla Bot 2024-03-14 15:35:03 UTC

This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1157995 Backports:SLE-15-SP6 / python-aiosmtpd
https://build.opensuse.org/request/show/1157996 Backports:SLE-15-SP5 / python-aiosmtpd

Comment 5 OBSbugzilla Bot 2024-04-01 13:05:02 UTC

This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1163948 Backports:SLE-15-SP6 / python-aiosmtpd

Comment 6 OBSbugzilla Bot 2024-05-20 12:05:02 UTC

This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1175332 Backports:SLE-15-SP5 / python-aiosmtpd

Comment 7 OBSbugzilla Bot 2024-05-27 14:15:02 UTC

This is an autogenerated message for OBS integration:
This bug (1221328) was mentioned in
https://build.opensuse.org/request/show/1177142 Backports:SLE-15-SP5 / python-aiosmtpd