Educause Security Discussion mailing list archives

Re: Upgrading Eudora clients due to recent vulnerability

From: Robert Berlinger <rnb () AECOM YU EDU>
Date: Thu, 24 Feb 2005 09:55:56 -0500

As far as I understand, Eudora 6.2.1 was created for the sole purpose of
fixing the issue discovered by NGSSoftware and present in every prior
version.  Qualcomm's notes on the web site only seem to indicate that the
exploit would cause Eudora to crash, but that contradicts what NGSSoftware
said in its advisory.

We're still working on our rollout plan.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of H. Morrow Long
Sent: Wednesday, February 23, 2005 7:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Upgrading Eudora clients due to recent vulnerability

On Feb 14, 2005, at 10:17 AM, Robert Berlinger wrote:

On the vulnerability, see
http://www.ngssoftware.com/advisories/eudora-01.txt


Robert -- Thanks for the link to the NGSSoftware advisory.

Reading it, I see that they unequivocally state that the  vulnerability
allows the execution of arbitrary code.

The only note I found on www.eudora.com from Qualcomm/Eudora states
about a buffer overflow is:

        http://www.eudora.com/techsupport/kb/2485hq.html

Is this about the NGSSoftware advisory or an earlier problem?
It is talking about a problem in 6.0.* and earlier (rather than 6.2 and
earlier).

It says the possibility of the exploit exec'ing arbitrary code is just
'speculation' at this point
e.g. the bug is just known as a buffer overflow which crashes Eudora.

Or has Qualcomm/Eudora not posted a notice on this current problem on
their website nor responded publicly to it?

Is anyone else making plans to push upgrades or migrations of masses of
Eudora users to 6.2.1
or anything else?

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS




**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Upgrading Eudora clients due to recent vulnerability Robert Berlinger (Feb 10)
- <Possible follow-ups>
- Re: Upgrading Eudora clients due to recent vulnerability H. Morrow Long (Feb 10)
- Re: Upgrading Eudora clients due to recent vulnerability Joe St Sauver (Feb 10)
- Re: Upgrading Eudora clients due to recent vulnerability Valdis Kletnieks (Feb 10)
- Re: Upgrading Eudora clients due to recent vulnerability Gary Dobbins (Feb 11)
- Re: Upgrading Eudora clients due to recent vulnerability Wayne J. Hauber (Feb 14)
- Re: Upgrading Eudora clients due to recent vulnerability Robert Berlinger (Feb 14)
- Re: Upgrading Eudora clients due to recent vulnerability Wayne J. Hauber (Feb 16)
- Re: Upgrading Eudora clients due to recent vulnerability H. Morrow Long (Feb 23)
- Re: Upgrading Eudora clients due to recent vulnerability Robert Berlinger (Feb 24)