Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-871-1 python3.2

Debian Security Advisory

DLA-871-1 python3.2 -- LTS security update

Date Reported:

25 Mar 2017

Affected Packages:

python3.2

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-0772.

More information:

It was discovered that there was a TLS stripping vulnerability in the smptlib library distributed with the CPython interpreter.

The library did not return an error if StartTLS failed, which might have allowed man-in-the-middle attackers to bypass the TLS protections by leveraging a network position to block the StartTLS command.

For Debian 7 Wheezy, this issue has been fixed in python3.2 version 3.2.3-7+deb7u1.

We recommend that you upgrade your python3.2 packages.