OESA-2024-1321

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1321
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-1321.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2024-1321
Upstream
Published
2024-03-22T11:07:17Z
Modified
2025-08-12T05:25:39.854038Z
Summary
python-aiosmtpd security update
Details

This is a server for SMTP and related protocols, similar in utility to the standard library's smtpd.py module, but rewritten to be based on asyncio for Python 3.

Security Fix(es):

aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-27305)

Database specific 
{
    "severity": "Medium"
}
References

Affected packages

openEuler:22.03-LTS-SP2 / python-aiosmtpd

Package

Name
python-aiosmtpd
Purl
pkg:rpm/openEuler/python-aiosmtpd&distro=openEuler-22.03-LTS-SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.2-2.oe2203sp2

Ecosystem specific 

{
    "src": [
        "python-aiosmtpd-1.4.2-2.oe2203sp2.src.rpm"
    ],
    "noarch": [
        "python3-aiosmtpd-1.4.2-2.oe2203sp2.noarch.rpm",
        "python-aiosmtpd-help-1.4.2-2.oe2203sp2.noarch.rpm"
    ]
}