Closed Bug 1903918 Opened 9 months ago Closed 9 months ago

"Received" header contains inappropriate internal network information, such as local IP addresses.

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 115
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1903895

People

(Reporter: davidahillman+moz, Unassigned)

Details

Steps to Reproduce:

  1. Installed Thunderbird on Kubuntu 24.04 LTS, on a system that is attached to a Local Area Network, behind firewall. Systems on that LAN are assigned IP addresses from the 192.168/16 private IP range, as per RFC 1918.

  2. Send an electronic mail to any address.

  3. Inspect the "Received" headers on that message, at its destination.

Observed Result:
The "Received" header contains details about the source's private network address scheme, that are supposed to remain private.

For example:

Received: from [192.168.1.9] ( <valid-internet-ip-address-redacted> )
by smtp.gmail.com with ESMTPSA id <message-id-redacted>
for <recipient-address-redacted>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);

Expected Result:
The "Received" header should not publicize the source's private network configuration.

For example, a different mail client installed on the same machine generates this header, instead:

Received: from host.localnet ( <valid-internet-ip-address-redacted> )
by smtp.gmail.com with ESMTPSA id <message-id-redacted>
for <recipient-address-redacted>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);

Thanks, but why the triple report hours apart ?

Status: UNCONFIRMED → RESOLVED
Closed: 9 months ago
Duplicate of bug: 1903895
Resolution: --- → DUPLICATE

For many hours yesterday, Bugzilla's submission form was throwing "502 Bad Gateway" errors. So I submitted the form a number of times, each time hoping that the problem had been fixed. Apparently those submissions were processed, despite Bugzilla being unable to compose a reply, but that processing was not visible to the user.

I tried to report the outage, but Mozilla offers no communication channel to people who do not use Twitter or Facebook, so I could not do that, either.

ok, thanks for highlighting this issue.

Mozilla offers no communication channel to people who do not use Twitter or Facebook, so I could not do that, either.

FYI, you can report general problems with bug creation here, but I don't suppose it should be used for temporary server problems/outages.

You need to log in before you can comment on or make changes to this bug.