Bugtraq mailing list archives
Re: remote root qmail-pop with vpopmail advisory and exploit with patch (fwd)
From: kbo () INTER7 COM (iv0)
Date: Sun, 23 Jan 2000 22:35:09 -0600
I recommend upgrading to the latest version of vpopmail which fixes the exploit. Pick up the current stable version: http://www.inter7.com/vpopmail/ vchkpw - which authenticates a user with information from qmail-pop up was storing the information in a staticly defined buffer. There was no buffer over run checking done. Current stable version now checks for buffer overruns in several places. A security audit of the code is being done. Which it sorely needs. Ken Jones http://www.inter7.com/ Adam McKenna wrote:
In that case, what would you recommend? --Adam On Sun, Jan 23, 2000 at 10:53:31PM -0500, Russell Nelson wrote:> 5. Recommendation > > Impose the 40 character limitation specified by RFC1939 into qmail. > Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch I don't recommend applying that patch. Every line of it is wrong. It makes qmail-popup less secure, by inserting a call to syslog(), which is a security disaster. It also sucks in the string library, which includes the well-known security hole sprintf(). -- -russ nelson <sig () russnelson com> http://russnelson.com Crynwr sells support for free software | PGPok | "Ask not what your country 521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | do for you..." -Perry M.
Current thread:
- Re: remote root qmail-pop with vpopmail advisory and exploit with patch (fwd) iv0 (Jan 23)
- <Possible follow-ups>
- Re: remote root qmail-pop with vpopmail advisory and exploit with patch (fwd) iv0 (Jan 24)