Sam Varshavchik wrote: > kfx writes: > >> Hi list, >> following the Gentoo's advisory ( >> http://www.gentoo.org/security/en/glsa/glsa-200704-18.xml ), it is >> said that courier-imap 4.0.6-r2 and below has a vulnerability with >> XMAILDIR variable leading to shell command injection. If I've installed > > There's no such thing as an "XMAILDIR" variable in Courier-IMAP. > > Reading the bugreport further, it's apparent that this is some > Gentoo-specific bullsh1t that they pollute my source code with, > entirely on their own initiative, and for no good reason. > >> "courier-imap-4.0.6.tar.bz2" from the courier's site), am I affected >> by this ? I mean the -r2 in 4.0.6-r2 is for something like "release >> candidate" so I shouldn't worry ? > > It means that you should not complain here about Gentoo-specific, and > Gentoo-originated bugs. hey I'm not using Gentoo and get courier stuff from the original source. The fact is that the advisory first hits Full-Disclosure with Gentoo specific mail subject, then it hits others sec-list ending with the Gentoo's tag in the subject being lost. The last came from a notorious CERT from which I must take note with the subject "Vulnerability in Courier-IMAP" with no mention from gentoo. That's all, my 4.0.6 installation works flawlessly for years so if there's no need to upgrade...
By the way, thank you for your work Mr Sam :) ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
