From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.devel
Subject: Re: smtpmail.el security flaw in selecting authentication mechanism
Date: Wed, 04 Mar 2009 18:27:16 -0500
Message-ID: <jwvab8027ks.fsf-monnier+emacs@gnu.org>
References: <87myc24lia.fsf@mocca.josefsson.org>
	<E1Lez9h-0008QT-ER@fencepost.gnu.org>
NNTP-Posting-Host: lo.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1236209258 23255 80.91.229.12 (4 Mar 2009 23:27:38 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Wed, 4 Mar 2009 23:27:38 +0000 (UTC)
Cc: Simon Josefsson <simon@yubico.com>, emacs-devel@gnu.org
To: rms@gnu.org
Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Thu Mar 05 00:28:55 2009
Return-path: <emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org>
Envelope-to: ged-emacs-devel@m.gmane.org
Original-Received: from lists.gnu.org ([199.232.76.165])
	by lo.gmane.org with esmtp (Exim 4.50)
	id 1Lf0W8-0006Qr-Ss
	for ged-emacs-devel@m.gmane.org; Thu, 05 Mar 2009 00:28:49 +0100
Original-Received: from localhost ([127.0.0.1]:46632 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43)
	id 1Lf0Un-0001OF-Fi
	for ged-emacs-devel@m.gmane.org; Wed, 04 Mar 2009 18:27:25 -0500
Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1Lf0Ui-0001MS-Ha
	for emacs-devel@gnu.org; Wed, 04 Mar 2009 18:27:20 -0500
Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1Lf0Uh-0001L1-Cn
	for emacs-devel@gnu.org; Wed, 04 Mar 2009 18:27:20 -0500
Original-Received: from [199.232.76.173] (port=33751 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Lf0Uh-0001Kd-7T
	for emacs-devel@gnu.org; Wed, 04 Mar 2009 18:27:19 -0500
Original-Received: from ironport2-out.pppoe.ca ([206.248.154.182]:48485
	helo=ironport2-out.teksavvy.com)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <monnier@iro.umontreal.ca>)
	id 1Lf0Uf-00059G-GE; Wed, 04 Mar 2009 18:27:17 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AsQEABOdrknO+KX2/2dsb2JhbACBTscDCI90glAIgTAGhAU
X-IronPort-AV: E=Sophos;i="4.38,304,1233550800"; d="scan'208";a="34709190"
Original-Received: from 206-248-165-246.dsl.teksavvy.com (HELO pastel.home)
	([206.248.165.246])
	by ironport2-out.teksavvy.com with ESMTP; 04 Mar 2009 18:27:16 -0500
Original-Received: by pastel.home (Postfix, from userid 20848)
	id 67FD94B454; Wed,  4 Mar 2009 18:27:16 -0500 (EST)
In-Reply-To: <E1Lez9h-0008QT-ER@fencepost.gnu.org> (Richard M. Stallman's
	message of "Wed, 04 Mar 2009 17:01:33 -0500")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.91 (gnu/linux)
X-detected-operating-system: by monty-python.gnu.org: Genre and OS details not
	recognized.
X-BeenThere: emacs-devel@gnu.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Emacs development discussions." <emacs-devel.gnu.org>
List-Unsubscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/emacs-devel>
List-Post: <mailto:emacs-devel@gnu.org>
List-Help: <mailto:emacs-devel-request@gnu.org?subject=help>
List-Subscribe: <http://lists.gnu.org/mailman/listinfo/emacs-devel>,
	<mailto:emacs-devel-request@gnu.org?subject=subscribe>
Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.devel:109456
Archived-At: <http://permalink.gmane.org/gmane.emacs.devel/109456>

> I am pretty sure we don't plan to make another release of Emacs 22.
> Do you think we should make one just on account of this?

No, it's not a serious security flaw: it still only uses one of the
protocols that we accept to use.  It just might choose a less
desirable one.


        Stefan