tags #336979 confirmed security severity #336979 important thanks On Wed, Nov 02, 2005 at 01:37:35AM +0100, Peter Thomassen wrote: > When using plain_courier_authdaemon or login_courier_authdaemon > authentication, wrong passwords are accepted (but only correct > usernames).
Ouch! > According to [1], this is Debian-specific. > [1]: > http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php Ouch! * Why has this taken more than a quarter of a year to be reported to the people who are able to fix it? * I cannot see why this is Debian-specific since we took the authenticators listed on that web page verbatim. > [2] gives another server_condition which is claimed to not raise this > problem, but I cannot verify that because I just don't understand it. > [2]: http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 This code works, and since the exim wiki is more "official" as some random web forum, I have modified the Debian package to now use this example. > Since this allows unauthorized people to authenticate with Exim, this is > a security hole (critical). Since this issue is in an example which is commented out by default, the Debian security team disagrees. I will fix this issue in Debian sid and eventually in etch, but the broken example will stay in sarge. This bug report will remain available for reference though. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]