Ángel González writes:
Sam Varshavchik wrote: > > And is Courier affected by the “follow-up” CVE-2014-7169? > > I don't think the follow-up exploit is in scope. To use the follow-up > explot, so far, you need to somehow stuff the ">" character into an > email address. > > This is going to be a problem, since the > character terminates the > MAIL FROM or the RCPT TO command. So, I'm not worried about it.courier accepts CVE-2014-7169 poc in the EHLO
That's not enough. This has to make it into some bash process's initial environment.
It's not going to make it into the shell that runs .courier delivery commands.
If the localmailfilter API is enabled, the SMTP server process will fork and execute maildrop directly, bypassing the shell entirely.
An environment variable will need to be explicitly imported by a maildrop recipe here, in order to be available to a child shell process maildrop would fork off. So, someone needs to use localmailfilter, and explicitly import the environment variable with the HELO string, before there's a problem.
pgpXWobRxGRnp.pgp
Description: PGP signature
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
