Bug 984751 – VUL-1: CVE-2016-0772: python,python3: smtplib StartTLS stripping attack

Bug 984751 - (CVE-2016-0772) VUL-1: CVE-2016-0772: python,python3: smtplib StartTLS stripping attack

(CVE-2016-0772)
Summary:	VUL-1: CVE-2016-0772: python,python3: smtplib StartTLS stripping attack

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Jan Matejek
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/170076/
Whiteboard:	CVSSv2:SUSE:CVE-2016-0772:5.8:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-06-15 05:49 UTC by Marcus Meissner
Modified:	2022-02-13 11:14 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2016-0772.py (395 bytes, text/plain) 2016-08-17 11:34 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-06-15 05:49:41 UTC

reported by redhat to oss-sec

Hi,

This is to publicly disclose Python CVE-2016-0772: smtplib StartTLS
stripping attack.

Description :
A vulnerability in smtplib allowing MITM attacker to perform a startTLS
stripping attack. smtplib does not seem to raise an exception when the
remote end (smtp server) is capable of negotiating starttls but fails to
respond with 220 (ok) to an explicit call of SMTP.starttls(). This may
allow a malicious MITM to perform a startTLS stripping attack if the client
code does not explicitly check the response code for startTLS.

Upstream patch :
3.4 branch : https://hg.python.org/cpython/rev/d590114c2394
2.7 branch : https://hg.python.org/cpython/rev/b3ce713fb9be

Red Hat Bugzilla :
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772

Reported by: Tin (Team Oststrom)



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1303647
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0772
http://seclists.org/oss-sec/2016/q2/541

Comment 1 Jan Matejek 2016-06-15 09:30:20 UTC

Can we use this to justify version-updating python3 to 3.4.5 in SLE12?

3.4.5 includes this security update, a small number of crasher bugfixes and a bigger number of other bugfixes. I will review the changelog in detail, but in general, micro-version updates like this are safe because of upstream non-breakage policy.

Comment 2 Jan Matejek 2016-06-15 09:31:07 UTC

(In reply to Jan Matejek from comment #1)
> Can we use this to justify version-updating python3 to 3.4.5 in SLE12?

this would also let us easily push 3.4.5 into Leap 42.1 (see bug 983582)

Comment 3 Marcus Meissner 2016-06-15 15:58:37 UTC

this would be currently a jump from 3.4.1 to 3.4.5

is this also a small changeset?

Comment 4 Swamp Workflow Management 2016-06-15 22:00:14 UTC

bugbot adjusting priority

Comment 5 Jan Matejek 2016-06-16 10:56:15 UTC

At a rough guess, there will be about 300 patches between 3.4.1 and 3.4.5, so, not so small.

I still believe that the update is safe, and as I said, I'd be reviewing the changes in detail.
But, well. Not a small change.

Comment 6 Marcus Meissner 2016-06-16 15:16:55 UTC

started a FATE/ECO 320949

Comment 8 Swamp Workflow Management 2016-06-24 06:03:24 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-07-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62847

Comment 9 Bernhard Wiedemann 2016-07-01 14:01:02 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/405901 Factory / python

Comment 10 Bernhard Wiedemann 2016-07-01 18:00:23 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/405973 13.2+42.1 / python

Comment 11 Swamp Workflow Management 2016-07-27 17:09:14 UTC

openSUSE-SU-2016:1885-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 964182,984751,985177,985348
CVE References: CVE-2016-0772,CVE-2016-5636,CVE-2016-5699
Sources used:
openSUSE Leap 42.1 (src):    python-2.7.12-23.1, python-base-2.7.12-23.1, python-doc-2.7.12-23.1
openSUSE 13.2 (src):    python-2.7.12-3.1, python-base-2.7.12-3.1, python-doc-2.7.12-3.1

Comment 13 Marcus Meissner 2016-08-17 11:34:11 UTC

Created attachment 688371 [details]
CVE-2016-0772.py

python CVE-2016-0772.py

MUST report an error like:
Traceback (most recent call last):
  File "xx.py", line 14, in <module>
    smtp.starttls()
  File "/usr/lib64/python2.7/smtplib.py", line 663, in starttls
    raise SMTPResponseException(resp, reply)
smtplib.SMTPResponseException: (454, '4.7.0 TLS not available due to local problem')

Comment 14 Swamp Workflow Management 2016-08-19 12:24:53 UTC

SUSE-SU-2016:2106-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 984751,985177,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    python-base-2.7.9-24.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    python-base-2.7.9-24.2
SUSE Linux Enterprise Server 12-SP1 (src):    python-2.7.9-24.1, python-base-2.7.9-24.2, python-doc-2.7.9-24.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    python-2.7.9-24.1, python-base-2.7.9-24.2

Comment 15 Swamp Workflow Management 2016-08-19 17:12:30 UTC

openSUSE-SU-2016:2120-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 935856,951166,983582,984751,985177,985348,989523
CVE References: CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
openSUSE Leap 42.1 (src):    python3-3.4.5-8.1, python3-base-3.4.5-8.1, python3-doc-3.4.5-8.1
openSUSE 13.2 (src):    python3-3.4.5-4.4.1, python3-base-3.4.5-4.4.1, python3-doc-3.4.5-4.4.1

Comment 17 Bernhard Wiedemann 2016-08-26 14:00:30 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/423094 42.2 / python3

Comment 19 Swamp Workflow Management 2016-09-01 14:15:58 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-09-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63016

Comment 20 Swamp Workflow Management 2016-09-09 10:10:15 UTC

SUSE-SU-2016:2270-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 984751,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    python-2.6.9-39.1, python-base-2.6.9-39.1, python-doc-2.6-8.39.1
SUSE Linux Enterprise Server 11-SP4 (src):    python-2.6.9-39.1, python-base-2.6.9-39.1, python-doc-2.6-8.39.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-2.6.9-39.1, python-base-2.6.9-39.1

Comment 21 Marcus Meissner 2016-09-28 12:35:04 UTC

i think we covered the relevant parts

Comment 22 Swamp Workflow Management 2016-10-26 16:26:15 UTC

SUSE-SU-2016:2653-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 951166,983582,984751,985177,985348,989523,991069
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    python3-base-3.4.5-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1

Comment 23 Swamp Workflow Management 2016-11-18 15:08:20 UTC

SUSE-SU-2016:2859-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 951166,983582,984751,985177,985348,989523,991069
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    python3-base-3.4.5-19.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1
SUSE Linux Enterprise Server 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1

Comment 25 Swamp Workflow Management 2019-02-01 20:09:17 UTC

SUSE-SU-2019:0223-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1122191,984751,985177,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2019-5010
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    python-2.7.9-16.7.1, python-base-2.7.9-16.7.2, python-doc-2.7.9-16.7.2

Comment 31 Swamp Workflow Management 2020-01-16 14:18:22 UTC

SUSE-SU-2020:0114-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 32 Swamp Workflow Management 2020-01-21 20:21:02 UTC

openSUSE-SU-2020:0086-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.7.1, python3-base-3.6.10-lp151.6.7.1

Comment 33 Swamp Workflow Management 2020-01-24 20:20:41 UTC

SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 44 OBSbugzilla Bot 2020-11-27 16:45:35 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36

Comment 46 OBSbugzilla Bot 2020-12-01 18:25:44 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36

Comment 48 OBSbugzilla Bot 2020-12-05 17:35:29 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36

Comment 49 OBSbugzilla Bot 2020-12-05 19:15:43 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36

Comment 52 OBSbugzilla Bot 2020-12-17 18:15:53 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36

Comment 53 OBSbugzilla Bot 2021-10-06 14:45:30 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 54 OBSbugzilla Bot 2021-10-22 08:45:50 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36

Comment 55 OBSbugzilla Bot 2022-02-06 22:31:21 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 56 OBSbugzilla Bot 2022-02-09 19:11:36 UTC

This is an autogenerated message for OBS integration:
This bug (984751) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python