Jakob Bohm writes:
That said, I think it would be slightly safer, just in case the issue becomes real, for courier to treat this particular protocol violation as fatal and abort the connection before or during the TLS negotiation.However this since this is mostly a hypothetical problem at this stage, I don't think it warrants an out-of-schedule security update or advisory, just something to tweak later.
That's pretty much the same conclusion I reached. This is not an issue at present. Nothing can be accomplished by exploiting it that an attacker in position to exploit it cannot already accomplish via other means.
This is something that can be addressed at some convenient time later. I wouldn't abort it, just flush it away. That's what other implementations picked to do.
pgpuJOw9FTAED.pgp
Description: PGP signature
------------------------------------------------------------------------------ Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap