Debian Security Advisory

DLA-871-1 python3.2 -- LTS security update

Date Reported:
25 Mar 2017
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-0772.
More information:

It was discovered that there was a TLS stripping vulnerability in the smptlib library distributed with the CPython interpreter.

The library did not return an error if StartTLS failed, which might have allowed man-in-the-middle attackers to bypass the TLS protections by leveraging a network position to block the StartTLS command.

For Debian 7 Wheezy, this issue has been fixed in python3.2 version 3.2.3-7+deb7u1.

We recommend that you upgrade your python3.2 packages.