www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Yandell (JIRA)" <j...@apache.org>
Subject [jira] Commented: (INFRA-1754) security issue with jira passwords
Date Thu, 26 Mar 2009 10:39:55 GMT

    [ https://issues.apache.org/jira/browse/INFRA-1754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689431#action_12689431

Henri Yandell commented on INFRA-1754:

>From the support ticket:

Emily Stumpf [Atlassian] added a comment - 09/Nov/08 06:08 PM
Hello Henri,

I apologize for this, but there is currently not a way to prevent Jira from emailing passwords
in plaintext. However, there are two feature requests in our issue tracker for the Jira product
relating to this which I encourage you to vote and add your comments to:

    * http://jira.atlassian.com/browse/JRA-6175
    * http://jira.atlassian.com/browse/JRA-15916

The second is more of a quick, temporary measure (to have a check box when creating your new
user to not send the password at all), but the good news is, the actual solution (the first)
is scheduled to be implemented in our next major release of Jira. I don't have a date on when
it will be out, but it should be some time next year.


> security issue with jira passwords
> ----------------------------------
>                 Key: INFRA-1754
>                 URL: https://issues.apache.org/jira/browse/INFRA-1754
>             Project: Infrastructure
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: JIRA
>            Reporter: Eric Haszlakiewicz
>            Assignee: Henri Yandell
> I recently signed up  for an account at issues.apache.org/jira in order to
> submit some bugs.  I noted that the url switched over to https when I went to the login
screen, so I felt relatively confident that the information I typed in would be secure.
> However, shortly after I filled out the form I received an email that CONTAINED MY PASSWORD
IN PLAIN TEXT!!!  I didn't even ask for a password reset, yet for some reason jira decided
that I needed to be told what I just entered, and in a form that anyone sniffing the network
(or just glancing at my screen as I read my email) could read.  That email should be turned
off asap.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message