Here is a patch (attached) to take 4.0.3 down to 4.0.2. On Tue, Jun 05, 2001 at 06:52:23PM +0200, Roman Drahtmueller wrote: > We hope that this information is accurate. Version 4.0.2 is not on the ftp > server any more, and there is no patch from 4.0.2 to 4.0.3. > We currently feel handicapped in our efforts to check the code for the > changes wrt the buffer overflow. > > SuSE ships qpopper versions 2.53 (with a set of patches that include > security fixes for this version) for SuSE-6.3, 6.4 and 7.0, SuSE-7.1 and > the upcoming SuSE-7.2 release have version 3.1.2. > > If the above statement is right, then SuSE distributions are not > vulnerable. However, we wish to double-check such a claim. All kinds of > verification and transparency are welcome, including an official statement > from Qualcomm (thanks in advance!). > > > > Changes from 4.0.2 to 4.0.3: > > ---------------------------- > > 1. Don't call SSL_shutdown unless we tried to negotiate an > > SSL session. (As suggested by Kenneth Porter.) > > 2. Fix buffer overflow (reported by Gustavo Viscaino). > > > Thank you, > Roman Drahtmüller, > SuSE Security. > - -- > - - > | Roman Drahtmüller <drahtat_private> // "Caution: Cape does | > SuSE GmbH - Security Phone: // not enable user to fly." > | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | > - - > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: http://www.suse.de/ > > iEYEARECAAYFAjsdDlkACgkQnkDjEAAKq6RVAQCgmAZJGKq6v4J9kjznUy+tlZzm > j3EAoMyrDlRtE8OgI98T7FN18IfEYfHR > =G2T2 > -----END PGP SIGNATURE----- -- William Colburn, "Sysprog" <wcolburnat_private> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 18:39:04 PDT