On Thu, Mar 04, 2004 at 10:01:01AM +0900, UEDA Hiroyuki wrote: > > On Wed, Mar 03, 2004 at 05:09:29PM +0100, Claudio Jeker wrote: > > > Georgi Guninski has posted a way to bufferoverflow qmail-qmtpd.c. > > > Currently it is not proven that this can be used for a succesful attack > > > but better be save. So here is a patch. > > > > > > > getlen() is also used in qmail-qmqpd.c (which is used for cluster > > forwards). I don't know if it is possible to do anything bad with it but > > again better be save. Remeber qmail-qmqpd is normaly restricted to the > > cluster servers with a tcprules file so the attack has to come form one of > > your other mail servers. > > > > Also the buffer overflow of Georgi Guninski needs a non empty RELAYCLIENT > > which is definitivly non standard. > > > > -- > > :wq Claudio > > This fix is not included in qmail-ldap-1.03-20040301.patch, isn't it? >
It will be included in the one we announce. The non-official on nrg4u does not have it in. > # And do you have plan to annouce qmail-ldap-1.03-20040301.patch > # officially or not? > I'm waiting for Andre to update the website but he is a slacker ;-) -- :wq Claudio
