[3.3] bpo-30585: [security] raise an error when STARTTLS fails (#225)

vstinner · ned-deily · commit 3625f7fd1167 · 2017-07-18T20:44:38.000-04:00
(cherry picked from commit 46b32f3)
diff --git a/Lib/smtplib.py b/Lib/smtplib.py
@@ -680,6 +680,11 @@ def starttls(self, keyfile=None, certfile=None, context=None):
             self.ehlo_resp = None
             self.esmtp_features = {}
             self.does_esmtp = 0
+        else:
+            # RFC 3207:
+            # 501 Syntax error (no parameters allowed)
+            # 454 TLS not available due to temporary reason
+            raise SMTPResponseException(resp, reply)
         return (resp, reply)
 
     def sendmail(self, from_addr, to_addrs, msg, mail_options=[],
diff --git a/Misc/NEWS b/Misc/NEWS
@@ -35,6 +35,9 @@ Core and Builtins
 Library
 -------
 
+- [Security] bpo-30585: Fix TLS stripping vulnerability in smptlib,
+  CVE-2016-0772.  Reported by Team Oststrom
+
 - [Security] bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes
   of multiple security vulnerabilities including: CVE-2017-9233 (External
   entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix),
