python smtplib starttls stripping attack
Python's implementation of
smtplib fails to raise an exception upon an unexpected response during negotiation of tls via the starttls protocol. This allows a MiTM capable of injecting smtp messages to force smtplib to silently abort tls negotiation proceeding to transmit cleartext. (impacting confidentiality)
For more details see 
potentially affects a variety of open source projects from Django, web2py, ...
initially reported to python PSRT (timeline see ) with details, PoC  and patch . The patch was accepted and recently landed in python 2.7/3.x [3,4]. full details and the actual research material that was securely disclosed to Python PSRT will be made available at  (currently a preliminary vulnerability note)
striptls  is a generic protocol independent tls interception proxy written in python that is also capable of probing for various starttls stripping vectors in smtp, pop3, imap, ftp, xmpp, acap and irc. It is also available via
pip install striptls (pretty handy for sniffing/proxying proprietary protocols based on top of implicit/explicit tls)
Vendor announcements: [5,6,7]
the preliminary vulnerability note  will be updated in accordance with the Python software release scheduled for June 26th.
 https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-0772  https://github.com/tintinweb/striptls  https://hg.python.org/cpython/rev/d590114c2394  https://hg.python.org/cpython/rev/b3ce713fb9be  http://www.openwall.com/lists/oss-security/2016/06/14/9  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772  https://access.redhat.com/security/cve/cve-2016-0772