From owner-freebsd-security  Sat Jun  8 15:12:48 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34])
	by hub.freebsd.org (Postfix) with ESMTP id 7643337B403
	for <security@FreeBSD.ORG>; Sat,  8 Jun 2002 15:12:39 -0700 (PDT)
Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219])
	by mail-relay1.yahoo.com (Postfix) with ESMTP
	id 2F9588B5BB; Sat,  8 Jun 2002 15:12:39 -0700 (PDT)
Message-ID: <3D028157.28F86BD7@FreeBSD.org>
Date: Sat, 08 Jun 2002 15:12:39 -0700
From: Doug Barton <DougB@FreeBSD.org>
Organization: Triborough Bridge & Tunnel Authority
X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Roger Marquis <marquis@roble.com>
Cc: security@FreeBSD.ORG
Subject: Re: Pine 4.44 Privacy Patch
References: <20020607151320.C46348-100000@roble.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Roger Marquis wrote:
> 
> Problem description:
> 
>     The Pine email client allows users to define the "From:"
>     address independent of their Unix username.  This is an
>     indispensable feature for help desks and other role accounts.
> 
>     Unfortunately, user names and/or ids can still be leaked due to
>     Pine's insertion of "Sender:" and/or "X-Sender:" headers.  Pine
>     versions earlier than 4.44 may also insert the Unix username
>     into other envelope and header fields.

I've reviewed that patch, and I don't like it for a few reasons. Not the
least of which is that it is less than complete, and may give the user a
false sense of "security." 

-- 
   "We have known freedom's price. We have shown freedom's power.
      And in this great conflict, ...  we will see freedom's victory."
	- George W. Bush, President of the United States
          State of the Union, January 28, 2002

         Do YOU Yahoo!?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message