Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Port setting is ignored in versions 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 #93

Merged
merged 4 commits into from
Oct 28, 2021
Merged

Port setting is ignored in versions 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 #93

merged 4 commits into from
Oct 28, 2021

Conversation

liammclennan
Copy link
Contributor

@liammclennan liammclennan commented Oct 28, 2021
edited by nblumhardt
Loading

Via @nblumhardt:

We've identified that this constitutes a vulnerability in versions 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 of the package, available from August 27th 2021 to October 28th 2021.

The app eagerly computed the port value, in the constructor, before the user's Port setting would be applied.

If the user had chosen port 465 to use implicit SSL, and didn't also choose the "Require TLS" setting, this would downgrade the security of their connection by falling back to port 25 with STARTTLS.

We think this is an instance of CWE-693, Protection Mechanism Failure, and have requested a CVE id for it.

The 3.1.0-dev-00179 version of the package properly respects this setting.

nblumhardt
nblumhardt reviewed Oct 28, 2021
View reviewed changes
src/Seq.App.EmailPlus/EmailApp.cs Outdated
{
_options = _options = new SmtpOptions(
Host,
Port ?? DefaultPort,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we extract port again?

@nblumhardt nblumhardt merged commit e4ffda1 into datalust:dev Oct 28, 2021
@nblumhardt nblumhardt changed the title Move app settings Port setting is ignored in versions 3.1.0-dev-00148, 3.1.0-dev-00170, and 3.1.0-dev-00176 Oct 28, 2021
MattMofDoom added a commit to MattMofDoom/seq-app-htmlemail that referenced this pull request Nov 1, 2021
@MattMofDoom
Merge changes from datalust#93
a1a600f
@MattMofDoom MattMofDoom mentioned this pull request Nov 1, 2021
Open
MattMofDoom added a commit to MattMofDoom/seq-app-htmlemail that referenced this pull request Nov 1, 2021
@MattMofDoom
Merge changes resulting from datalust#93, and merge to DeliveryEnhanc…
500439c 
…ements branch
@MattMofDoom MattMofDoom mentioned this pull request Nov 1, 2021
Open
@nblumhardt nblumhardt mentioned this pull request Nov 2, 2021
Closed
@nblumhardt nblumhardt mentioned this pull request Feb 22, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nblumhardt nblumhardt nblumhardt left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@liammclennan @nblumhardt