You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Eric Haszlakiewicz (JIRA)" <ji...@apache.org> on 2008/10/11 05:23:44 UTC
[jira] Created: (INFRA-1754) security issue with jira passwords
security issue with jira passwords
----------------------------------
Key: INFRA-1754
URL: https://issues.apache.org/jira/browse/INFRA-1754
Project: Infrastructure
Issue Type: Bug
Security Level: public (Regular issues)
Components: JIRA
Reporter: Eric Haszlakiewicz
I recently signed up for an account at issues.apache.org/jira in order to
submit some bugs. I noted that the url switched over to https when I went to the login screen, so I felt relatively confident that the information I typed in would be secure.
However, shortly after I filled out the form I received an email that CONTAINED MY PASSWORD IN PLAIN TEXT!!! I didn't even ask for a password reset, yet for some reason jira decided that I needed to be told what I just entered, and in a form that anyone sniffing the network (or just glancing at my screen as I read my email) could read. That email should be turned off asap.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (INFRA-1754) security issue with jira passwords
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1754?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henri Yandell closed INFRA-1754.
--------------------------------
Resolution: Later
Duly voted, closing the ticket out as not much more for us to do until it shows up in a release.
> security issue with jira passwords
> ----------------------------------
>
> Key: INFRA-1754
> URL: https://issues.apache.org/jira/browse/INFRA-1754
> Project: Infrastructure
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: JIRA
> Reporter: Eric Haszlakiewicz
> Assignee: Henri Yandell
>
> I recently signed up for an account at issues.apache.org/jira in order to
> submit some bugs. I noted that the url switched over to https when I went to the login screen, so I felt relatively confident that the information I typed in would be secure.
> However, shortly after I filled out the form I received an email that CONTAINED MY PASSWORD IN PLAIN TEXT!!! I didn't even ask for a password reset, yet for some reason jira decided that I needed to be told what I just entered, and in a form that anyone sniffing the network (or just glancing at my screen as I read my email) could read. That email should be turned off asap.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1754) security issue with jira passwords
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12679858#action_12679858 ]
Henri Yandell commented on INFRA-1754:
--------------------------------------
This wasn't possible to change. I need to copy in the reply from the support ticket.
> security issue with jira passwords
> ----------------------------------
>
> Key: INFRA-1754
> URL: https://issues.apache.org/jira/browse/INFRA-1754
> Project: Infrastructure
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: JIRA
> Reporter: Eric Haszlakiewicz
> Assignee: Henri Yandell
>
> I recently signed up for an account at issues.apache.org/jira in order to
> submit some bugs. I noted that the url switched over to https when I went to the login screen, so I felt relatively confident that the information I typed in would be secure.
> However, shortly after I filled out the form I received an email that CONTAINED MY PASSWORD IN PLAIN TEXT!!! I didn't even ask for a password reset, yet for some reason jira decided that I needed to be told what I just entered, and in a form that anyone sniffing the network (or just glancing at my screen as I read my email) could read. That email should be turned off asap.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1754) security issue with jira passwords
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12645817#action_12645817 ]
Henri Yandell commented on INFRA-1754:
--------------------------------------
I've filed a support request with Atlassian to find out if it is possible to change this.
> security issue with jira passwords
> ----------------------------------
>
> Key: INFRA-1754
> URL: https://issues.apache.org/jira/browse/INFRA-1754
> Project: Infrastructure
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: JIRA
> Reporter: Eric Haszlakiewicz
>
> I recently signed up for an account at issues.apache.org/jira in order to
> submit some bugs. I noted that the url switched over to https when I went to the login screen, so I felt relatively confident that the information I typed in would be secure.
> However, shortly after I filled out the form I received an email that CONTAINED MY PASSWORD IN PLAIN TEXT!!! I didn't even ask for a password reset, yet for some reason jira decided that I needed to be told what I just entered, and in a form that anyone sniffing the network (or just glancing at my screen as I read my email) could read. That email should be turned off asap.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (INFRA-1754) security issue with jira passwords
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1754?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henri Yandell reassigned INFRA-1754:
------------------------------------
Assignee: Henri Yandell
> security issue with jira passwords
> ----------------------------------
>
> Key: INFRA-1754
> URL: https://issues.apache.org/jira/browse/INFRA-1754
> Project: Infrastructure
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: JIRA
> Reporter: Eric Haszlakiewicz
> Assignee: Henri Yandell
>
> I recently signed up for an account at issues.apache.org/jira in order to
> submit some bugs. I noted that the url switched over to https when I went to the login screen, so I felt relatively confident that the information I typed in would be secure.
> However, shortly after I filled out the form I received an email that CONTAINED MY PASSWORD IN PLAIN TEXT!!! I didn't even ask for a password reset, yet for some reason jira decided that I needed to be told what I just entered, and in a form that anyone sniffing the network (or just glancing at my screen as I read my email) could read. That email should be turned off asap.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1754) security issue with jira passwords
Posted by "Eric Haszlakiewicz (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689495#action_12689495 ]
Eric Haszlakiewicz commented on INFRA-1754:
-------------------------------------------
Ok, thanks. It's good to see that someone is looking into fixing this in Jira.
> security issue with jira passwords
> ----------------------------------
>
> Key: INFRA-1754
> URL: https://issues.apache.org/jira/browse/INFRA-1754
> Project: Infrastructure
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: JIRA
> Reporter: Eric Haszlakiewicz
> Assignee: Henri Yandell
>
> I recently signed up for an account at issues.apache.org/jira in order to
> submit some bugs. I noted that the url switched over to https when I went to the login screen, so I felt relatively confident that the information I typed in would be secure.
> However, shortly after I filled out the form I received an email that CONTAINED MY PASSWORD IN PLAIN TEXT!!! I didn't even ask for a password reset, yet for some reason jira decided that I needed to be told what I just entered, and in a form that anyone sniffing the network (or just glancing at my screen as I read my email) could read. That email should be turned off asap.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1754) security issue with jira passwords
Posted by "#asfinfra IRC Bot (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12668159#action_12668159 ]
#asfinfra IRC Bot commented on INFRA-1754:
------------------------------------------
<joes4> If you change your password, you won't get an email notification.
> security issue with jira passwords
> ----------------------------------
>
> Key: INFRA-1754
> URL: https://issues.apache.org/jira/browse/INFRA-1754
> Project: Infrastructure
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: JIRA
> Reporter: Eric Haszlakiewicz
> Assignee: Henri Yandell
>
> I recently signed up for an account at issues.apache.org/jira in order to
> submit some bugs. I noted that the url switched over to https when I went to the login screen, so I felt relatively confident that the information I typed in would be secure.
> However, shortly after I filled out the form I received an email that CONTAINED MY PASSWORD IN PLAIN TEXT!!! I didn't even ask for a password reset, yet for some reason jira decided that I needed to be told what I just entered, and in a form that anyone sniffing the network (or just glancing at my screen as I read my email) could read. That email should be turned off asap.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (INFRA-1754) security issue with jira passwords
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/INFRA-1754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689431#action_12689431 ]
Henri Yandell commented on INFRA-1754:
--------------------------------------
>From the support ticket:
Emily Stumpf [Atlassian] added a comment - 09/Nov/08 06:08 PM
Hello Henri,
I apologize for this, but there is currently not a way to prevent Jira from emailing passwords in plaintext. However, there are two feature requests in our issue tracker for the Jira product relating to this which I encourage you to vote and add your comments to:
* http://jira.atlassian.com/browse/JRA-6175
* http://jira.atlassian.com/browse/JRA-15916
The second is more of a quick, temporary measure (to have a check box when creating your new user to not send the password at all), but the good news is, the actual solution (the first) is scheduled to be implemented in our next major release of Jira. I don't have a date on when it will be out, but it should be some time next year.
Cheers,
Emily
> security issue with jira passwords
> ----------------------------------
>
> Key: INFRA-1754
> URL: https://issues.apache.org/jira/browse/INFRA-1754
> Project: Infrastructure
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: JIRA
> Reporter: Eric Haszlakiewicz
> Assignee: Henri Yandell
>
> I recently signed up for an account at issues.apache.org/jira in order to
> submit some bugs. I noted that the url switched over to https when I went to the login screen, so I felt relatively confident that the information I typed in would be secure.
> However, shortly after I filled out the form I received an email that CONTAINED MY PASSWORD IN PLAIN TEXT!!! I didn't even ask for a password reset, yet for some reason jira decided that I needed to be told what I just entered, and in a form that anyone sniffing the network (or just glancing at my screen as I read my email) could read. That email should be turned off asap.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.