Re: [security] Thunderbird vulnerable to MITM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On 08/24/2015 04:07 AM, Leonard den Ottolander wrote:
Hello,

On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote:
Thunderbird has a MITM vulnerability with its otherwise rather groovy
auto-configuration feature.

The problem is that it makes requests via HTTP to retrieve the auto
configuration information.

This allows a black hat (e.g. the NSA) to modify the results sent to the
client, and the client has no way to verify the results have not been
tampered with.

Thank you for pointing out this vulnerability. However,
https://lists.mozilla.org/listinfo/dev-apps-thunderbird seems like a
more appropriate place to discuss your concerns. I doubt Red Hat will
address this issue without upstream involvement and I'm sure CentOS will
not.

Regards,
Leonard.


Done, thank you. And I found the following two bugzilla IDs :

https://bugzilla.mozilla.org/show_bug.cgi?id=664633 (2011)
https://bugzilla.mozilla.org/show_bug.cgi?id=971347 (2014)

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux