Hi all, I'm currently looking a little deeper at IMAP and Qpopper on the RaQ3 and RaQ4 and plan to rebuild those daemons from the latest available sources. My intention is to release free and unofficial PKG and RPM files which upgrade these daemons to the latest versions.
The RaQ3 and RaQ4 use the University of Washington IMAP version 4rev1 v12.264. SUN/Cobalt is kinda misleading about that fact - by accident or intent. When you query the RPM database it returns back that imap-4.7c2-C1 is installed. However, the IMAP daemon is not imap-4.7 as one might guess from looking at the version of the installed RPM package. It's in fact the vulnerable imap-4rev1 v12.264 instead. A vulnerability exists in version 12.264 of the University of Washington IMAPd server (UM-IMAP), implementing IMAP4rev1. This weakness could allow a logged in user to execute arbitrary code. As far as is known this does not allow the user to get root access, instead the code or shell is executed with the user's privileges. Which is worse enough. The installed Qpopper is slightly better off. It's version 3.02 and should fix all security issues which 3.01 and especially 2.53 had. However, Qpopper-4.0.4 is out and aside from TLS/SSL support it's (according to Eudora/Qualcom) 1000-times faster on startup and one third faster at session end. I fetched the SRPMs which SUN/Cobalt used to build those daemons presently on the RaQ4, but I'm looking for feedback and input people who have already installed a newer IMAP and/or Qpopper from the sources. What obstacles did you run into? Did you use any special configure options? (if so, which and why) -- With best regards Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
