svn commit: r417962 - head/security/vuxml
Bernard Spil
brnrd at FreeBSD.org
Sun Jul 3 09:28:59 UTC 2016
Author: brnrd
Date: Sun Jul 3 09:28:57 2016
New Revision: 417962
URL: https://svnweb.freebsd.org/changeset/ports/417962
Log:
security/vuxml: Add Python smtplib TLS stripping vuln
PR: 210685
Submitted by: brnrd
Security: CVE-2016-0772
Security: 8d5368ef-40fe-11e6-b2ec-b499baebfeaf
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Jul 3 09:00:05 2016 (r417961)
+++ head/security/vuxml/vuln.xml Sun Jul 3 09:28:57 2016 (r417962)
@@ -58,6 +58,49 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="8d5368ef-40fe-11e6-b2ec-b499baebfeaf">
+ <topic>Python 2.7 -- smtplib StartTLS stripping vulnerability</topic>
+ <affects>
+ <package>
+ <name>python27</name>
+ <range><lt>2.7.12</lt></range>
+ </package>
+ <package>
+ <name>python33</name>
+ <range><gt>0</gt></range>
+ </package>
+ <package>
+ <name>python34</name>
+ <range><lt>3.4.5</lt></range>
+ </package>
+ <package>
+ <name>python35</name>
+ <range><lt>3.5.2</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Red Hat reports:</p>
+ <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772">
+ <p>A vulnerability in smtplib allowing MITM attacker to perform a
+ startTLS stripping attack. smtplib does not seem to raise an exception
+ when the remote end (smtp server) is capable of negotiating starttls but
+ fails to respond with 220 (ok) to an explicit call of SMTP.starttls().
+ This may allow a malicious MITM to perform a startTLS stripping attack
+ if the client code does not explicitly check the response code for startTLS.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772</url>
+ <cvename>CVE-2016-0772</cvename>
+ </references>
+ <dates>
+ <discovery>2016-06-14</discovery>
+ <entry>2016-07-03</entry>
+ </dates>
+ </vuln>
+
<vuln vid="e7028e1d-3f9b-11e6-81f9-6805ca0b3d42">
<topic>phpMyAdmin -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list