Re: [CentOS] [security] Thunderbird vulnerable to MITM
On 08/24/2015 04:07 AM, Leonard den Ottolander wrote: Hello, On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote: Thunderbird has a MITM vulnerability with its otherwise rather groovy auto-configuration feature. The problem is that it makes requests via HTTP to retrieve the auto configuration information. This allows a black hat (e.g. the NSA) to modify the results sent to the client, and the client has no way to verify the results have not been tampered with. Thank you for pointing out this vulnerability. However, https://lists.mozilla.org/listinfo/dev-apps-thunderbird seems like a more appropriate place to discuss your concerns. I doubt Red Hat will address this issue without upstream involvement and I'm sure CentOS will not. Regards, Leonard. Done, thank you. And I found the following two bugzilla IDs : https://bugzilla.mozilla.org/show_bug.cgi?id=664633 (2011) https://bugzilla.mozilla.org/show_bug.cgi?id=971347 (2014) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [security] Thunderbird vulnerable to MITM
Hello, On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote: > Thunderbird has a MITM vulnerability with its otherwise rather groovy > auto-configuration feature. > > The problem is that it makes requests via HTTP to retrieve the auto > configuration information. > > This allows a black hat (e.g. the NSA) to modify the results sent to the > client, and the client has no way to verify the results have not been > tampered with. Thank you for pointing out this vulnerability. However, https://lists.mozilla.org/listinfo/dev-apps-thunderbird seems like a more appropriate place to discuss your concerns. I doubt Red Hat will address this issue without upstream involvement and I'm sure CentOS will not. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [security] Thunderbird vulnerable to MITM
On 08/23/2015 10:17 AM, Always Learning wrote: Yes some people's version of politics is annoying. Politics ought to be about creating pragmatic solutions for the public good rather than enforcing brain-dead dogma. MariaDB is a so-called "drop-in" replacement for MySQL although I understand version 10 is not compatible. Could LibreSSL create a "drop-in" replacement version for OpenSSL ? No, they remain API compatible with OpenSSL 1.0.1 but they are not ABI compatible, and they do not wish to be. Anything built against OpenSSL has to be recompiled to use LibreSSL. Both libraries though can exist on the system at the same time, installed in the standard /usr prefix - so you can have both installed. /usr/bin/openssl is the only conflict - resolved by renaming the binary from LibreSSL to /usr/bin/libressl on systems with both. I don't worry that much about OpenSSL being there, it is just the public facing servers I want to use LibreSSL. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [security] Thunderbird vulnerable to MITM
On Sun, 2015-08-23 at 07:57 -0700, Alice Wonder wrote: > I stopped using Fedora because as soon as it was stable it was end of > life and I was forced to install a new bleeding edge unstable version. I am 'conservative' too. Once something is working well I do not wish to change it unless there is a compelling conspicuous advantage. > I do not like bleeding edge for most things, I use mate in CentOS > because GNOME 3 is not to my liking, for example, and makes me feel like > I am fighting the desktop instead of using the desktop. Bleeding edge inevitable means 'bugs' and, potentially, data loss and/or paralysed systems. Fortunately I have yet to encounter any of the delights of C7 as C5 and C6 fulfil my needs. > I do not know if LibreSSL will ever be part of Fedora or CentOS because > FIPS support is not one of the goals of the projects, but FIPS didn't > protect anyone from the several OpenSSL vulnerabilities that led to > LibreSSL so FIPS is not a concern of mine, but it is a requirement for > some places so I suspect it will be difficult for it to enter the Red > Hat ecosystem. > > RHEL packages need to build against OpenSSL to have FIPS and so Fedora > packages will continue to build against OpenSSL. Politics sucks. Yes some people's version of politics is annoying. Politics ought to be about creating pragmatic solutions for the public good rather than enforcing brain-dead dogma. MariaDB is a so-called "drop-in" replacement for MySQL although I understand version 10 is not compatible. Could LibreSSL create a "drop-in" replacement version for OpenSSL ? -- Regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [security] Thunderbird vulnerable to MITM
On 08/23/2015 07:25 AM, Always Learning wrote: On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote: Thunderbird has a MITM vulnerability with its otherwise rather groovy auto-configuration feature. https://librelamp.com/FooBird#security has what I think would be the easiest solution while keeping the ability to auto-configure stuff. As for LibreSSL et al, perhaps you could mention all your concerns on Fedora ? Its the place where, it often seems, everything in Centos originates from. You will benefit from your own mailing list/web forum. Your attitude and concerns are not unique. I stopped using Fedora because as soon as it was stable it was end of life and I was forced to install a new bleeding edge unstable version. I do not like bleeding edge for most things, I use mate in CentOS because GNOME 3 is not to my liking, for example, and makes me feel like I am fighting the desktop instead of using the desktop. I do not know if LibreSSL will ever be part of Fedora or CentOS because FIPS support is not one of the goals of the projects, but FIPS didn't protect anyone from the several OpenSSL vulnerabilities that led to LibreSSL so FIPS is not a concern of mine, but it is a requirement for some places so I suspect it will be difficult for it to enter the Red Hat ecosystem. RHEL packages need to build against OpenSSL to have FIPS and so Fedora packages will continue to build against OpenSSL. Politics sucks. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] [security] Thunderbird vulnerable to MITM
On Sat, 2015-08-22 at 08:05 -0700, Alice Wonder wrote: > Thunderbird has a MITM vulnerability with its otherwise rather groovy > auto-configuration feature. > https://librelamp.com/FooBird#security > > has what I think would be the easiest solution while keeping the > ability to auto-configure stuff. As for LibreSSL et al, perhaps you could mention all your concerns on Fedora ? Its the place where, it often seems, everything in Centos originates from. You will benefit from your own mailing list/web forum. Your attitude and concerns are not unique. -- Best regards, Paul. England, EU. England's place is in the European Union. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
