Bug 175021

Summary:	mail-client/mozilla-thunderbird{-bin} APOP design error (CVE-2007-1558)
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	mozilla
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558
Whiteboard:	B3? [upstream] jaervosz
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-18 05:24:19 UTC

The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-02 11:16:38 UTC

mozilla any news on this one?

Comment 2 Raúl Porcel (RETIRED) gentoo-dev

2007-05-02 12:44:59 UTC

Upstream seems to ignore this bug. No distro has issued a security advisory.

Comment 3 Bugs Bunny 2007-05-06 02:23:48 UTC

(In reply to comment #1)
> mozilla any news on this one?
> 

This is such a minute issue that upstream is not gonna bother with it. Reason being that every user should know that a 3 letter password is shit to begin with, and the fact that is the first three characters give up the actuall password the users should be compromised.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-06 09:49:42 UTC

Passwords don't need to be of 3 characters length or less to be affected by this. Brute force and dictionary attacks would be much easier.

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2007-05-31 11:11:38 UTC

This is being handled in bug 180436

*** This bug has been marked as a duplicate of bug 180436 ***