On 15 Mar 2002 01:51:10 -0000 Dustin Childers wrote: > When sending a string that has 2048+ characters in it, the > in.qpopper or popper process will begin to use massive > amounts of CPU and will not stop until it is manually killed. (BID 4295) There has been no posting by the vendor here that I've seen, but from the ChangeLog at ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Changes : "Changes from 4.0.3 to 4.0.4: ---------------------------- 1. Fixed DOS attack seen on some systems." which is presumably a reference to the same issue. To confirm this, I did some tests on an Red Hat 7.2 i386 system. Results are as follows: Qpopper 4.0.3 (inetd mode via xinetd) - VULNERABLE Qpopper 4.0.3 (standalone mode) - NOT TESTED Qpopper 4.0.4 (inetd mode via xinetd) - NOT VULNERABLE Qpopper 4.0.4 (standalone mode) - NOT VULNERABLE If you want to install Qpopper as an RPM while you're updating it, you may be interested in my RPM spec file, which can be found at http://www.timj.co.uk/linux/ . Tim -- To assure privacy, you are encouraged to use strong encryption when sending e-mail to me. PGP key at http://timj.co.uk/TimPubKey.asc
This archive was generated by hypermail 2b30 : Sat Apr 20 2002 - 13:51:28 PDT