From owner-freebsd-security  Fri Jun  7 15:25:22 2002
Delivered-To: freebsd-security@freebsd.org
Received: from skynet.stack.nl (insgate.stack.nl [131.155.140.2])
	by hub.freebsd.org (Postfix) with ESMTP id A9EEF37B400
	for <security@FreeBSD.ORG>; Fri,  7 Jun 2002 15:25:11 -0700 (PDT)
Received: from dragon.stack.nl (dragon.stack.nl [2001:610:1108:5011:202:b3ff:fe17:a4cb])
	by skynet.stack.nl (Postfix) with ESMTP
	id 3D9924011; Sat,  8 Jun 2002 00:25:47 +0200 (CEST)
Received: by dragon.stack.nl (Postfix, from userid 1600)
	id A20E8988A; Sat,  8 Jun 2002 00:21:37 +0200 (CEST)
Date: Sat, 8 Jun 2002 00:21:37 +0200
From: Dean Strik <dean@stack.nl>
To: Roger Marquis <marquis@roble.com>
Cc: security@FreeBSD.ORG
Subject: Re: Pine 4.44 Privacy Patch
Message-ID: <20020607222137.GB91889@dragon.stack.nl>
References: <20020607151320.C46348-100000@roble.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020607151320.C46348-100000@roble.com>
User-Agent: Mutt/1.3.99i
X-Editor: VIM Rulez! http://www.vim.org/
X-MUD: Outerspace - telnet://mud.stack.nl:3333
X-Really: Yes
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Roger Marquis wrote:
> Problem description:
> 
>     The Pine email client allows users to define the "From:"
>     address independent of their Unix username.  This is an
>     indispensable feature for help desks and other role accounts.
> 
>     Unfortunately, user names and/or ids can still be leaked due to
>     Pine's insertion of "Sender:" and/or "X-Sender:" headers.  Pine
>     versions earlier than 4.44 may also insert the Unix username
>     into other envelope and header fields.

Rewriting the From: header can hardly be called a decent privacy
measure. Note that some MTAs (including postfix, dunno about others)
add similar information anyway.

If this is an issue for people, then they shouldn't use their personal
accounts. Period.

-- 
Dean C. Strik             Eindhoven University of Technology
dean@stack.nl  |  dean@ipnet6.org  |  http://www.ipnet6.org/
"This isn't right. This isn't even wrong." -- Wolfgang Pauli

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message