Package: mozilla-thunderbird Version: 1.0.2-2.sarge1.0.6 Severity: grave Justification: user security hole
Thunderbird reverts to plain authentication for SMTP, in order to provide more compatability for SMTP servers that don't support crypt auth. However no warning is given to user, and there is no way to overide this behaviour, so it is very easy for users passwords to be sent in clear text. This is in mozillas bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=311657 It seems that at the moment upstream isn't too concerned about it. But it sure as heck alarms me. Researcher who discovered it has this page: http://www.henlich.de/moz-smtp/ I first saw it mentioned on Security Focus: http://www.securityfocus.com/bid/15106 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
