Comment 53 for bug 44335

On Thu, Jul 24, 2008 at 4:14 PM, omni <email address hidden> wrote:
> Didn't have libssl-dev installed.
>
> I tried reverting to 4.1 and manually rebuilding with dpkg and libssl-
> dev and now 4.1 works perfectly with TLS.
>
> Now that I have libssl-dev I could try with 5.4 but 4.1 seems to have
> everything I need. Have there been any significant security updates
> between 4.1 and 5.4 or are all the changes mostly cosmetic?

Security-wise, the most significant feature must be the usage of GNOME
Keyring to store passwords.
(They used to be stored in plaintext in
~/.gnome2/mail-notification/mailboxes.xml).

Of course that particular feature is mentionned in the NEWS file, the
paragraph itself is an entertaining read.
Allow me to quote Jean-Yves:
"Passwords are now encrypted, using GNOME Keyring. Note that I do not
endorse the flawed GNOME Keyring approach of granting passwords an
encryption-worth status while ignoring other sensitive data.
Furthermore, at the time of this writing, GNOME Keyring does not seem
to prevent the memory it uses for storing the passwords from being
swapped out to disk. However, despite these flaws, it has been
observed that GNOME Keyring has beneficial psychological effects on
some users. For increased psychological well-being, MN even moves the
plain text passwords it finds in mailboxes.xml to the keyring."

Food for thoughts. ;-)

Cheers,

-Pascal
--
Homepage (http://organact.mine.nu)
Debian GNU/Linux (http://www.debian.org)
LACIME: École de technologie supérieure (http://lacime.etsmtl.ca)