There is a security bug in versions of the programs tmail and dmail
distributed with the IMAP Toolkit versions 2007c or earlier (all versions
prior to 2008-10-29). This includes the version distributed with Alpine
2.00. A fixed version of the programs is included in the IMAP Toolkit
version 2007d, which is available at
http://www.washington.edu/imap/
or more directly at
ftp://ftp.cac.washington.edu/imap/
The tmail and dmail programs are only used if you have explicitly used
them. The c-client library is not affected by this bug, and the IMAP and
POP3 servers distributed with the Toolkit are not affected by this bug.
If you are using tmail or dmail you should replace them with the fixed
versions immediately. The bug is exploitable by local users with shell
access and may be remotely exploitable on some systems. A default sendmail
installation with tmail as a delivery agent is not remotely exploitable
because of length limits imposed by sendmail.
Steve Hubert <[EMAIL PROTECTED]>
Univ. of Washington Technology Services, Seattle
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw
