{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"python-aiosmtpd security update", "category":"general", "title":"Synopsis" }, { "text":"An update for python-aiosmtpd is now available for openEuler-22.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"This is a server for SMTP and related protocols, similar in utility to the standard library's smtpd.py module, but rewritten to be based on asyncio for Python 3.\n\nSecurity Fix(es):\n\naiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.(CVE-2024-34083)", "category":"general", "title":"Description" }, { "text":"An update for python-aiosmtpd is now available for openEuler-22.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"python-aiosmtpd", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2024-1695", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1695" }, { "summary":"CVE-2024-34083", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2024-34083&packageName=python-aiosmtpd" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34083" }, { "summary":"openEuler-SA-2024-1695 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2024/csaf-openeuler-sa-2024-1695.json" } ], "title":"An update for python-aiosmtpd is now available for openEuler-22.03-LTS-SP1", "tracking":{ "initial_release_date":"2024-06-07T09:19:38+08:00", "revision_history":[ { "date":"2024-06-07T09:19:38+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:19:38+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:19:38+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:19:38+08:00", "id":"openEuler-SA-2024-1695", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"openEuler-22.03-LTS-SP1", "name":"openEuler-22.03-LTS-SP1" }, "name":"openEuler-22.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"python-aiosmtpd-help-1.4.6-1.oe2203sp1.noarch.rpm", "name":"python-aiosmtpd-help-1.4.6-1.oe2203sp1.noarch.rpm" }, "name":"python-aiosmtpd-help-1.4.6-1.oe2203sp1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"python3-aiosmtpd-1.4.6-1.oe2203sp1.noarch.rpm", "name":"python3-aiosmtpd-1.4.6-1.oe2203sp1.noarch.rpm" }, "name":"python3-aiosmtpd-1.4.6-1.oe2203sp1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"python-aiosmtpd-1.4.6-1.oe2203sp1.src.rpm", "name":"python-aiosmtpd-1.4.6-1.oe2203sp1.src.rpm" }, "name":"python-aiosmtpd-1.4.6-1.oe2203sp1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"python-aiosmtpd-help-1.4.6-1.oe2203sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:python-aiosmtpd-help-1.4.6-1.oe2203sp1.noarch", "name":"python-aiosmtpd-help-1.4.6-1.oe2203sp1.noarch as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"python3-aiosmtpd-1.4.6-1.oe2203sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:python3-aiosmtpd-1.4.6-1.oe2203sp1.noarch", "name":"python3-aiosmtpd-1.4.6-1.oe2203sp1.noarch as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"python-aiosmtpd-1.4.6-1.oe2203sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:python-aiosmtpd-1.4.6-1.oe2203sp1.src", "name":"python-aiosmtpd-1.4.6-1.oe2203sp1.src as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2024-34083", "notes":[ { "text":"aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP1:python-aiosmtpd-help-1.4.6-1.oe2203sp1.noarch", "openEuler-22.03-LTS-SP1:python3-aiosmtpd-1.4.6-1.oe2203sp1.noarch", "openEuler-22.03-LTS-SP1:python-aiosmtpd-1.4.6-1.oe2203sp1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP1:python-aiosmtpd-help-1.4.6-1.oe2203sp1.noarch", "openEuler-22.03-LTS-SP1:python3-aiosmtpd-1.4.6-1.oe2203sp1.noarch", "openEuler-22.03-LTS-SP1:python-aiosmtpd-1.4.6-1.oe2203sp1.src" ], "details":"python-aiosmtpd security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1695" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.4, "vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP1:python-aiosmtpd-help-1.4.6-1.oe2203sp1.noarch", "openEuler-22.03-LTS-SP1:python3-aiosmtpd-1.4.6-1.oe2203sp1.noarch", "openEuler-22.03-LTS-SP1:python-aiosmtpd-1.4.6-1.oe2203sp1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-34083" } ] }