1. SECURITY Vulnerability on qpopper 2.53 : qpopper 3.x port on FreeBSD ?
As I saw that there is a security bug with qpopper 2.53 (see below) which is
provided by all FreeBSD distribution as the only port, I was wondering
if there is someone working on the qpopper 3.02 port.
Thanks in advance for your help. Gildas.
Qpopper development has learned of a security vulnerability in
Qpopper 2.53 (and older). All users of Qpopper are urged to upgrade
to 3.0.2 or later.
The details have been reported to CERT and BugTraq. The exploit
involves sending a specially-constructed message to a user, then
logging in as that user and issuing the EUIDL command. A successful
attack can yield a shell running with group 'mail'.
It is important to note that the attack:
1. Requires the ability to log in as a user.
2. Can at most give a shell with uid of the user and gid of mail,
potentially allowing access to other user's mail.
3. Will be logged.
4. Requires Qpopper 2.53 or older. The current released version is 3.0.2.
In addition, not all sites use group 'mail' or have Qpopper set to
run with gid=mail, or have spools owned by group 'mail' and have rw
group access. However, this is a very common configuration.
Qpopper 3.0 has additional protections against buffer overflows; this
exploit proves the usefulness of this approach.
Fluxus, 28 rue Desaix, 75015 Paris ---_`\<,_
http://www.fluxus.net ---- (_)/ (_)
"En 2000, FranceNet change de nom et devient Fluxus"
"In 2000, FranceNet changes its name and becomes Fluxus"
2. Networking Linux
3. compiling qpopper with shadow password support
4. Windows 95 on old 386 notebook: pros and cons ?
5. QPopper & Shadow passwords
6. Starting PCNFSD
7. qpopper "password incorrect"
8. Need KPanel to go away; Kppp says PPP not supported by kernel
9. Qpopper and passwords
10. qpopper with shadow password
11. qpopper and shadow passwords
12. netscape + qpopper under linux = "incorrect password" : H E L P ! ! !
13. Can't set root password- Password busy error -is not due to temp password file