Educause Security Discussion mailing list archives
Re: Upgrading Eudora clients due to recent vulnerability
From: Robert Berlinger <rnb () AECOM YU EDU>
Date: Thu, 24 Feb 2005 09:55:56 -0500
As far as I understand, Eudora 6.2.1 was created for the sole purpose of fixing the issue discovered by NGSSoftware and present in every prior version. Qualcomm's notes on the web site only seem to indicate that the exploit would cause Eudora to crash, but that contradicts what NGSSoftware said in its advisory. We're still working on our rollout plan. -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of H. Morrow Long Sent: Wednesday, February 23, 2005 7:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Upgrading Eudora clients due to recent vulnerability On Feb 14, 2005, at 10:17 AM, Robert Berlinger wrote:
On the vulnerability, see http://www.ngssoftware.com/advisories/eudora-01.txt
Robert -- Thanks for the link to the NGSSoftware advisory. Reading it, I see that they unequivocally state that the vulnerability allows the execution of arbitrary code. The only note I found on www.eudora.com from Qualcomm/Eudora states about a buffer overflow is: http://www.eudora.com/techsupport/kb/2485hq.html Is this about the NGSSoftware advisory or an earlier problem? It is talking about a problem in 6.0.* and earlier (rather than 6.2 and earlier). It says the possibility of the exploit exec'ing arbitrary code is just 'speculation' at this point e.g. the bug is just known as a buffer overflow which crashes Eudora. Or has Qualcomm/Eudora not posted a notice on this current problem on their website nor responded publicly to it? Is anyone else making plans to push upgrades or migrations of masses of Eudora users to 6.2.1 or anything else? - H. Morrow Long, CISSP, CISM, CEH University Information Security Officer Director -- Information Security Office Yale University, ITS ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Upgrading Eudora clients due to recent vulnerability Robert Berlinger (Feb 10)
- <Possible follow-ups>
- Re: Upgrading Eudora clients due to recent vulnerability H. Morrow Long (Feb 10)
- Re: Upgrading Eudora clients due to recent vulnerability Joe St Sauver (Feb 10)
- Re: Upgrading Eudora clients due to recent vulnerability Valdis Kletnieks (Feb 10)
- Re: Upgrading Eudora clients due to recent vulnerability Gary Dobbins (Feb 11)
- Re: Upgrading Eudora clients due to recent vulnerability Wayne J. Hauber (Feb 14)
- Re: Upgrading Eudora clients due to recent vulnerability Robert Berlinger (Feb 14)
- Re: Upgrading Eudora clients due to recent vulnerability Wayne J. Hauber (Feb 16)
- Re: Upgrading Eudora clients due to recent vulnerability H. Morrow Long (Feb 23)
- Re: Upgrading Eudora clients due to recent vulnerability Robert Berlinger (Feb 24)