I recommend upgrading to the latest version of vpopmail which fixes the exploit. Pick up the current stable version: http://www.inter7.com/vpopmail/ vchkpw - which authenticates a user with information from qmail-pop up was storing the information in a staticly defined buffer. There was no buffer over run checking done. Current stable version now checks for buffer overruns in several places. A security audit of the code is being done. Which it sorely needs. Ken Jones http://www.inter7.com/ Adam McKenna wrote: > > In that case, what would you recommend? > > --Adam > > On Sun, Jan 23, 2000 at 10:53:31PM -0500, Russell Nelson wrote: > > > 5. Recommendation > > > > > > Impose the 40 character limitation specified by RFC1939 into qmail. > > > Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch > > > > I don't recommend applying that patch. Every line of it is wrong. It > > makes qmail-popup less secure, by inserting a call to syslog(), which > > is a security disaster. It also sucks in the string library, which > > includes the well-known security hole sprintf(). > > > > -- > > -russ nelson <sigat_private> http://russnelson.com > > Crynwr sells support for free software | PGPok | "Ask not what your country > > 521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to > > Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | do for you..." -Perry M. > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:31:06 PDT