Apache OpenOffice (AOO) Bugzilla – Issue 128194
bugzilla mailserver does not use TLS on outbound connections => securiy problem and GDPR violation
Last modified: 2019-09-14 11:38:54 UTC
This is for your debug attempts: 2019-09-09 12:20:07 H=hermes.apache.org (mail.apache.org) [207.244.88.153] F=<bugzilla@apache.org> rejected RCPT <apache@resellerdesktop.de>: Sender did not use TLS secured connection. Sender benutzte keine TLS gesicherte Verbindung. I had to disable the EU GDPR Policychecks to get the account token mail, which is a DP violation for european corps and organisations. (§32 EU GDPR 2016 , if you wanne know more about the impacts on the EU, you can check the EXIM ML from last friday ;) ) As you can see, NO ENCRYPTION was used at all. The mailserver sends LOGIN TOKENS without encryption to anyone, which is a security issue in itself, but gets worse, when i have to assume, that sensitive bugreport content is also send without encryption around the planet. Mozilla had the same problem, and that you also have it, makes me thinking. They fixed it this year. It's possible that the bugzilla stack has a small security problem. FYI: a news report about this issue has already been launched today, taking it seriously would be a smart move. BTW: the emailaddress for this account, had a AF BZ account before, but for some unkown reasons, it got completly removed.
Can you state which personal Information has been leaked to the public?
Ohh, yea, please note all information that you post are public. If you do not want that then contact private@openoffice.apache.org.
(In reply to Don't show my email from comment #0) > which is a DP violation for european corps and organisations Much Ado About Nothing This is just a bug tracking system
Of course you did not leak any personal informations yet, thats not the point. EU GDPR §32 states, that if easy and simple possible, the genernal transport of personal data has to be encrypted/protected. The fact, that you as receiver can't know in advance, what people will send to you via email, leads to the consequence, that you have to protect any incoming transmission. I am part of a european corp/organisation and we have to obey the GDPR, as it's a european law. So, any disabling of the TLS enforce policy, means a violation for us, because in that timeframe a mail with personal data could come in. I admin, it's theoratically, first, but if i have to leave the tls enforcer disabled, for every mail your bugzilla is sending, i.e. as reaction to a ticket, it's no longer theoratically, it becomes a real violation. Means in the end, a lawfull corp/org has to block unencrypted email traffic. The worst part is the fact, that you send it unencrypted at all. We have 2019! Not 1990. I had the same discussion with mozilla, and i won :) Be nice, enable tls for tls capable mailservers. Besides the eu friendly policy, it's a security enhancement, as sensitive informations are no longer send in plain text around the globe.
However, this is not a bug in OpenOffice, but in the Bugzilla installation. So the issue should be raised with ASF Infra, who is maintaining this (and other) installations.
Okay. 1) as you have just confirmed we did not conduct any GDPR violation. 2) you have not passed any personal information to us, that could lead to a GDPR violation. 3) all information on the server except the email address is shown to the public. Also in this point we do not violate the GDPR. I see it is in our full right to do this unencrypted. This is a convenience change for you as you have also confirmed. A smart guy would be nice and do not threat us with a media campaign. I will reach out to infra when I have time and ask them what they can do. Just remember your words matter. Give the people the chance to be nice.