Closed Bug 1903904 Opened 8 months ago Closed 8 months ago

"Received" header contains inappropriate internal network information, such as local IP addresses.

Categories

(Thunderbird :: Security, defect)

Thunderbird 115
defect

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 1903895

People

(Reporter: davidahillman+moz, Unassigned)

Details

Steps to Reproduce:

  1. Installed Thunderbird on Kubuntu 24.04 LTS, on a system that is attached to a Local Area Network, behind firewall. Systems on that LAN are assigned IP addresses from the 192.168/16 private IP range, as per RFC 1918.

  2. Send an electronic mail to any address.

  3. Inspect the "Received" headers on that message, at its destination.

Observed Result:
The "Received" header contains details about the source's private network address scheme, that are supposed to remain private.

For example:

Received: from [192.168.1.9] ( <valid-internet-ip-address-redacted> )
by smtp.gmail.com with ESMTPSA id <message-id-redacted>
for <recipient-address-redacted>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);

Expected Result:
The "Received" header should not publicize the source's private network configuration.

For example, a different mail client installed on the same machine generates this header, instead:

Received: from host.localnet ( <valid-internet-ip-address-redacted> )
by smtp.gmail.com with ESMTPSA id <message-id-redacted>
for <recipient-address-redacted>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);

Status: UNCONFIRMED → RESOLVED
Closed: 8 months ago
Duplicate of bug: 1903895
Resolution: --- → DUPLICATE

note: 100% identical copy

You need to log in before you can comment on or make changes to this bug.