[CentOS] [security] Thunderbird vulnerable to MITM

Leonard den Ottolander leonard at den.ottolander.nl
Mon Aug 24 11:07:41 UTC 2015


Hello,

On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote:
> Thunderbird has a MITM vulnerability with its otherwise rather groovy 
> auto-configuration feature.
> 
> The problem is that it makes requests via HTTP to retrieve the auto 
> configuration information.
> 
> This allows a black hat (e.g. the NSA) to modify the results sent to the 
> client, and the client has no way to verify the results have not been 
> tampered with.

Thank you for pointing out this vulnerability. However, 
https://lists.mozilla.org/listinfo/dev-apps-thunderbird seems like a
more appropriate place to discuss your concerns. I doubt Red Hat will
address this issue without upstream involvement and I'm sure CentOS will
not.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research





More information about the CentOS mailing list