[oe-commits] [openembedded-core] 06/13: python-2.7: Security fix CVE-2016-0772
git at git.openembedded.org
git at git.openembedded.org
Tue Dec 6 22:47:48 UTC 2016
rpurdie pushed a commit to branch jethro
in repository openembedded-core.
commit dd1a22f4beeb4100388efdc072e7cff2025535a7
Author: Armin Kuster <akuster at mvista.com>
AuthorDate: Sun Nov 6 10:27:08 2016 -0800
python-2.7: Security fix CVE-2016-0772
Affects python < 2.7.12
Signed-off-by: Armin Kuster <akuster at mvista.com>
---
.../python/python/CVE-2016-0772.patch | 42 ++++++++++++++++++++++
meta/recipes-devtools/python/python_2.7.9.bb | 1 +
2 files changed, 43 insertions(+)
diff --git a/meta/recipes-devtools/python/python/CVE-2016-0772.patch b/meta/recipes-devtools/python/python/CVE-2016-0772.patch
new file mode 100644
index 0000000..0580507
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2016-0772.patch
@@ -0,0 +1,42 @@
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin at python.org>
+# Date 1465676202 25200
+# Node ID b3ce713fb9beebfff9848cefa0acbd59acc68fe9
+# Parent 3017e41b0c99d24e88faf1de447f230e2f64d122
+raise an error when STARTTLS fails
+
+Upstream-status: Backport
+CVE: CVE-2016-0772
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+Index: Python-2.7.9/Lib/smtplib.py
+===================================================================
+--- Python-2.7.9.orig/Lib/smtplib.py
++++ Python-2.7.9/Lib/smtplib.py
+@@ -656,6 +656,11 @@ class SMTP:
+ self.ehlo_resp = None
+ self.esmtp_features = {}
+ self.does_esmtp = 0
++ else:
++ # RFC 3207:
++ # 501 Syntax error (no parameters allowed)
++ # 454 TLS not available due to temporary reason
++ raise SMTPResponseException(resp, reply)
+ return (resp, reply)
+
+ def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
+Index: Python-2.7.9/Misc/NEWS
+===================================================================
+--- Python-2.7.9.orig/Misc/NEWS
++++ Python-2.7.9/Misc/NEWS
+@@ -5136,6 +5136,9 @@ Library
+
+ - Issue #8140: Extend compileall to compile single files. Add -i option.
+
++- Fix TLS stripping vulnerability in smptlib, CVE-2016-0772. Reported by Team
++ Oststrom
++
+ - Issue #7356: ctypes.util: Make parsing of ldconfig output independent of the
+ locale.
+
diff --git a/meta/recipes-devtools/python/python_2.7.9.bb b/meta/recipes-devtools/python/python_2.7.9.bb
index f7e2f27..53ec991 100644
--- a/meta/recipes-devtools/python/python_2.7.9.bb
+++ b/meta/recipes-devtools/python/python_2.7.9.bb
@@ -26,6 +26,7 @@ SRC_URI += "\
file://parallel-makeinst-create-bindir.patch \
file://use_sysroot_ncurses_instead_of_host.patch \
file://avoid_parallel_make_races_on_pgen.patch \
+ file://CVE-2016-0772.patch \
"
S = "${WORKDIR}/Python-${PV}"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list