Re: [Declude.JunkMail] Buffer overflow in Ipswitch products

[Matt]

The SMTP engine is largely unchanged since 8.0 was released.  2006 deals primarily with webmail thus far, and these other services have only been tweaked and not rewritten.  I assume that all of 8.x is vulnerable regardless of the source of the information on the list which was not disputed.  I think that earlier versions however are certainly an open question. Safari support is in 2001.1 for the first time.  They indicated that for the most part, only rich text editing of E-mail of missing, and that this is what was going to be available to the expert group soon.  Having something that is at least minimally functional for Safari users was a huge shortcoming of 2006 thus far and most ISP's and hosting providers who knew about this held off because of it.  Now they are being forced to upgrade to a first time partially functional platform. Normally I would consider it minimally acceptable for a company to patch any software for vulnerabilities like this for a year regardless of issues surrounding the latest release.  Of course the more expensive and critical the software is, the longer they should support patching vulnerabilities, and in this case since they only now have an upgrade path from 8.22, they should definitely provide it. Matt Sanford Whiteman wrote: On the IMail list they indicated that IMail 8.x is also affected and possibly older versions as well. A non-Ipswitch poster said that an anonymous tech indicated so. We all know that if that was a first-level tech... their word is not exactly gold. True, the IMail product manager chimed in to say that no patches of any kind are offered for older versions, but did not own up to this vulnerability, AFAICS. Not encouraging either way. It is notable that the various third-party advisories (most of them reprints, to be sure) specify: Ipswitch Collaboration 2006 Suite Premium Edition Ipswitch Collaboration 2006 Suite Standard Edition Ipswitch IMail 2006 Ipswitch IMail Plus 2006 Ipswitch IMail Secure 2006 If script kiddie code were in the wild, an upgrade-or-get-owned vulnerability in the thousands of IMail 6.x, 7.x, and 8.x MXs still in use is a MAJOR problem! But don't you think some white hat would've tested 8.x in the process of checking the proof-of-concept? Not necessarily, but it would be traditional. The biggest issue here is that the first version with rudimentary Safari support in webmail happens to be the latest with the patch...? Hmm, I kinda saw the opposite, in that Kevin said of Safari support today (9/11), "This will be available in an expert user program in sept/oct and to the general public in the next release." It would, of course, behoove him to lightly imply (somewhere else?) that (a) the patched 2006.1 supports Safari and (b) 8.22's SMTPD is subject to the new vulnerability, but I don't believe either of these are true. --Sandy ------------------------------------ Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.