smtp.PlainAuth susceptible to man-in-the-middle password harvesting [Go 1.9] #22133

broady · 2017-10-04T17:35:28Z

See #22134 for details.

Fixed in Go 1.9.1 by CL 68210 (39dd6f614474).

ddillard · 2017-10-10T14:53:24Z

Is there going to be a CVE for this issue? If not, any objections to me getting one assigned?

KilledKenny · 2017-10-10T15:00:14Z

ddillard · 2017-10-10T15:09:37Z

Excellent. Thank you.

broady added this to the Go1.9.1 milestone Oct 4, 2017

rsc changed the title ~~placeholder for security issue~~ smtp.PlainAuth susceptible to man-in-the-middle password harvesting [Go 1.9] Oct 4, 2017

rsc closed this as completed Oct 4, 2017

leonklingele mentioned this issue Oct 4, 2017

go 1.9.1 Homebrew/homebrew-core#19000

Closed

4 tasks

stevenjohnstone mentioned this issue Oct 5, 2017

net/smtp: return error from SendMail when required AUTH not available #22145

Closed

aronatkins mentioned this issue Oct 6, 2017

net/smtp: NewClient should initialize tls based on the incoming connection type #22166

Closed

golang locked and limited conversation to collaborators Oct 10, 2018

gopherbot added the FrozenDueToAge label Oct 10, 2018

dvyukov added the Security label May 15, 2019

dmitshur added the CherryPickApproved Used during the release process for point releases label Dec 5, 2019

Provide feedback