On 08/24/2015 04:07 AM, Leonard den Ottolander wrote: > Hello, > > On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote: >> Thunderbird has a MITM vulnerability with its otherwise rather groovy >> auto-configuration feature. >> >> The problem is that it makes requests via HTTP to retrieve the auto >> configuration information. >> >> This allows a black hat (e.g. the NSA) to modify the results sent to the >> client, and the client has no way to verify the results have not been >> tampered with. > > Thank you for pointing out this vulnerability. However, > https://lists.mozilla.org/listinfo/dev-apps-thunderbird seems like a > more appropriate place to discuss your concerns. I doubt Red Hat will > address this issue without upstream involvement and I'm sure CentOS will > not. > > Regards, > Leonard. > Done, thank you. And I found the following two bugzilla IDs : https://bugzilla.mozilla.org/show_bug.cgi?id=664633 (2011) https://bugzilla.mozilla.org/show_bug.cgi?id=971347 (2014)