You Didn't Read The Discussion.
I Quote:
The authentication program cmd5checkpw can function as a plugin to
qmail-smtpd-auth, a patch for qmail which supports the SMTP AUTH protocol.
Due to improper input validation and error trapping, supplying cmd5checkpw
with a non-existent username will cause it to segfault. In turn, the
qmail-smtpd-auth Qmail patch incorrectly interprets this failure as a
successful authentication. As a result, an attacker providing invalid
input to cmd5checkpw can create a falsely-authenticated session, leaving
the victim host open to receiving and forwarding mail from unauthenticated
systems.
End Quote:
After A Quick Search On BugTrack I Found No Exploits Or Vuls For
Qmail-1.03. I Did Find 6 Relating To Programs Related To Qmail Or Patched
>From Third Parties To Add Features To Qmail.
Next Time You Try Start A Flame Do A Bit More Research. :-)
~Kurth
Kurth Bemis
Senior Network Admin/Owner: USAExpress.net
Owner: Ozone Computer
http://kurth.hardcrypto.com
PGP Key Avail.
---------------------------------------------------------------------
Uh!.....Uh!.....Uh!....."I'm done with this."...Out the window
On Fri, 1 Jun 2001, Kenneth E. Lussier wrote:
> And your point would be what, exactly? A vulnerability was discovered
> and less than a week later there is a solution to it? I have to say
> that this does reaffirm my faith in sendmail. It's better than Qmail's
> response time (bugtraq id#1809 shows that it took from 10/16 until
> 11/10 to fix a remote password retrieval vulnerability). So, other
> than an poor attempt at starting a flame war, I really don't see much
> value in this. Unless of course, your point was to once again
> demonstrate your inability to use the shift key on your keyboard.
>
> Kurth Bemis wrote:
> >
> > got this off o the qmail list today. might me an intresting read for all
> > you sendmail die hards :-)
>
> --
> ---------------------------------------------------
> Kenneth E. Lussier
> Geek by nature, Linux by choice
> PGP KeyID 0xD71DF198
> Public key available @ http://pgp.mit.edu
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
>
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
