Wolfgang Jeltsch writes:
Hi,thank you very much for this information. Has there been any new insight into how Courier is affected by this bug? Can the bug be exploited via ways other than default files? And is Courier affected by the “follow-up” CVE-2014-7169?
I don't think the follow-up exploit is in scope. To use the follow-up explot, so far, you need to somehow stuff the ">" character into an email address.
This is going to be a problem, since the > character terminates the MAIL FROM or the RCPT TO command. So, I'm not worried about it.
One way to mitigate the exposure is to set up a custom SHELL for Courier's process environment. If SHELL is set, local mail delivery commands will be executed using this shell, rather than /bin/sh.
Testing shows that csh works fine. It's unlikely that most common mail delivery commands will use anything that's bash-specific. To do this, change the SHELL setting in the courierd configuration file to:
SHELL=/bin/cshor to any other shell. Of course, you could always have something in your .courier files that uses a bash-ism, and would now be broken, but if that's the case you should already know about it.
pgpNm7Xe33r7f.pgp
Description: PGP signature
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
