From ${URL} : A vulnerability in smtplib allowing MITM attacker to perform a startTLS stripping attack. smtplib does not seem to raise an exception when the remote end (smtp server) is capable of negotiating starttls but fails to respond with 220 (ok) to an explicit call of SMTP.starttls(). This may allow a malicious MITM to perform a startTLS stripping attack if the client code does not explicitly check the response code for startTLS. Patch : Branch 2.7 : https://hg.python.org/cpython/rev/b3ce713fb9be Branch 3.4 : https://hg.python.org/cpython/rev/d590114c2394 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
v2.7.12 available in Gentoo repository since https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-lang/python?id=15d3634b3190d3cfe9844fc4bae311a553218d19 v3.4.5 available in Gentoo repository since https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-lang/python?id=7b490bcdfcede0d003d84c2da8a271104c0f0e7b
CVE-2016-0772 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0772): The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
Please proceed with stabilization of 2.7.12 and 3.4.5.
@ Arches, please test and mark stable: =dev-lang/python-2.7.12 =dev-lang/python-3.4.5 While stabilizing python-3.4.5 please have a look at https://gitweb.gentoo.org/data/gentoo-news.git/tree/2015-12-16-python-abiflags-rebuild-needed/2015-12-16-python-abiflags-rebuild-needed.en.txt
amd64 stable
x86 stable
Stable on alpha.
arm stable
An automated check of this bug failed - repoman reported dependency errors (50 lines truncated): > dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0) ['>=app-eselect/eselect-python-20140125-r1'] > dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=app-eselect/eselect-python-20140125-r1'] > dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop/gnome) ['>=app-eselect/eselect-python-20140125-r1'] > dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0) ['>=app-eselect/eselect-python-20140125-r1'] > dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop) ['>=app-eselect/eselect-python-20140125-r1'] > dependency.bad dev-lang/python/python-2.7.12.ebuild: PDEPEND: ia64(default/linux/ia64/13.0/desktop/gnome) ['>=app-eselect/eselect-python-20140125-r1']
An automated check of this bug succeeded - the previous repoman errors are now resolved.
ppc stable
ppc64 stable
sparc stable
ia64 stable
Stable for HPPA.
This issue was resolved and addressed in GLSA 201701-18 at https://security.gentoo.org/glsa/201701-18 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ Maintainer(s): Please drop =dev-lang/python-2.7.10-r1 and =dev-lang/python-3.4.3-r1! If you want to keep them in repository, please either drop keywords or apply a mask indicating a security problem.
commit a44128f035324efa9a517c0165ddfa79f255fdfa Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Tue Jan 10 15:48:32 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Tue Jan 10 15:52:49 2017 dev-lang/python: Sec cleanup, #585946 dev-lang/python/Manifest | 4 -- dev-lang/python/python-2.7.10-r1.ebuild | 347 --------------------------------------------------------------------------------------------------- dev-lang/python/python-3.4.3-r1.ebuild | 324 -------------------------------------------------------------------------------------------- 3 files changed, 675 deletions(-)
@ Maintainer(s): Thank you for your work! Repository is now clean, all done.
