severity 334621 important thanks On Wed, Oct 19, 2005 at 10:42:06AM +1000, Geoff Crompton wrote: > Package: mozilla-thunderbird > Version: 1.0.2-2.sarge1.0.6 > Severity: grave > Justification: user security hole > > Thunderbird reverts to plain authentication for SMTP, in order to > provide more compatability for SMTP servers that don't support crypt > auth. However no warning is given to user, and there is no way to > overide this behaviour, so it is very easy for users passwords to be > sent in clear text. > > This is in mozillas bugzilla: > https://bugzilla.mozilla.org/show_bug.cgi?id=311657 > > It seems that at the moment upstream isn't too concerned about it. But > it sure as heck alarms me. > > Researcher who discovered it has this page: > http://www.henlich.de/moz-smtp/ > > I first saw it mentioned on Security Focus: > http://www.securityfocus.com/bid/15106 >
I guess your smtp server should support tls to be secure. Though a switch to force secure authentication would be good IMO, it's not a grave bug, because thunderbird does not pretend that it uses secure authentication for SMTP at all. -- GPG messages preferred. | .''`. ** Debian GNU/Linux ** Alexander Sack | : :' : The universal [EMAIL PROTECTED] | `. `' Operating System http://www.asoftsite.org | `- http://www.debian.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
