Overview

File CVE-2024-34083.patch of Package python-aiosmtpd.18391

Index: aiosmtpd-1.2.1/aiosmtpd/docs/NEWS.rst
===================================================================
--- aiosmtpd-1.2.1.orig/aiosmtpd/docs/NEWS.rst
+++ aiosmtpd-1.2.1/aiosmtpd/docs/NEWS.rst
@@ -13,6 +13,10 @@
 * Improve Controller ssl_context documentation.
 * Add timeout feature. (Partial fix for #145)
 
+1.4.6 (2024-05-06)
+==================
+
+* STARTTLS is now fully enforced if used.
 
 1.1 (2017-07-06)
 ================
Index: aiosmtpd-1.2.1/aiosmtpd/smtp.py
===================================================================
--- aiosmtpd-1.2.1.orig/aiosmtpd/smtp.py
+++ aiosmtpd-1.2.1/aiosmtpd/smtp.py
@@ -154,6 +154,9 @@ class SMTP(asyncio.StreamReaderProtocol)
             self._reader._transport = transport
             self._writer._transport = transport
             self.transport = transport
+            # Discard any leftover unencrypted data
+            # See https://tools.ietf.org/html/rfc3207#page-7
+            self._reader._buffer.clear()  # type: ignore[attr-defined]
             # Do SSL certificate checking as rfc3207 part 4.1 says.  Why is
             # _extra a protected attribute?
             self.session.ssl = self._tls_protocol._extra
openSUSE Build Service is sponsored by
Places