https://bz.apache.org/ooo/show_bug.cgi?id=128194
Issue ID: 128194
Issue Type: DEFECT
Summary: bugzilla mailserver does not use TLS on outbound
connections => securiy problem and GDPR violation
Product: Infrastructure
Version: current
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: Critical
Priority: P5 (lowest)
Component: Bugzilla
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
This is for your debug attempts:
2019-09-09 12:20:07 H=hermes.apache.org (mail.apache.org) [207.244.88.153]
F=<[email protected]> rejected RCPT <[email protected]>: Sender did
not use TLS secured connection. Sender benutzte keine TLS gesicherte
Verbindung.
I had to disable the EU GDPR Policychecks to get the account token mail, which
is a DP violation for european corps and organisations. (ยง32 EU GDPR 2016 , if
you wanne know more about the impacts on the EU, you can check the EXIM ML from
last friday ;) )
As you can see, NO ENCRYPTION was used at all.
The mailserver sends LOGIN TOKENS without encryption to anyone, which is a
security issue in itself,
but gets worse, when i have to assume, that sensitive bugreport content is also
send without encryption around the planet.
Mozilla had the same problem, and that you also have it, makes me thinking.
They fixed it this year.
It's possible that the bugzilla stack has a small security problem.
FYI: a news report about this issue has already been launched today, taking it
seriously would be a smart move.
BTW: the emailaddress for this account, had a AF BZ account before, but for
some unkown reasons, it got completly removed.
--
You are receiving this mail because:
You are the assignee for the issue.
