[EMAIL PROTECTED] wrote:
>
> On Tue, Feb 29, 2000 at 10:24:39AM -0500, Russell Nelson wrote:
> > Markus Wuebben writes:
> > > Is this known?
> > > A complete description of the problem can be found
> > > at http://www.inter7.com/vpopmail/exploit.html
> >
> > Yes, it's known. The patch is still given using strlen(), though,
> > which drags in the C library and makes qmail-pop3d gratuitiously
> > bigger.
>
> Patching qmail-pop3d is just plain wrong. qmail-pop3d is completely ok,
> it's vpopmail that should be fixed.
>
Ah. I understand Russell's comment from before about the patch
using strlen and dragging in the string library. The patch was for
qmail-pop3d. Ahah. no no. The problem was in vpopmail and was fixed
January 7th, a few hours after we heard about it. Don't patch
qmail-pop3d.
Ken Jones
www.inter7.com
