Thunderbird has a MITM vulnerability with its otherwise rather groovy
auto-configuration feature.
The problem is that it makes requests via HTTP to retrieve the auto
configuration information.
This allows a black hat (e.g. the NSA) to modify the results sent to the
client, and the client has no way to verify the results have not been
tampered with.
This could even allow the black hat to act as a proxy for quite some
time and the client may never know.
This vulnerability is not something that can just be patched without
breaking most auto-configuration.
I have what I think is a solution to the problem, but I think it needs
further review - and it needs someone who actually has the right
contacts in the software and hosting worlds to get it implemented.
That's not me, I don't really like most people and the feeling tends to
be mutual. Anti-social issues aside, I do think this needs to be fixed.
https://librelamp.com/FooBird#security
has what I think would be the easiest solution while keeping the ability
to auto-configure stuff.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
