I recommend upgrading to the latest version of vpopmail which fixes
the exploit. Pick up the current stable version:
http://www.inter7.com/vpopmail/
vchkpw - which authenticates a user with information from qmail-pop
up was storing the information in a staticly defined buffer. There
was no buffer over run checking done. Current stable version now
checks for buffer overruns in several places. A security
audit of the code is being done. Which it sorely needs.
Ken Jones
http://www.inter7.com/
Adam McKenna wrote:
>
> In that case, what would you recommend?
>
> --Adam
>
> On Sun, Jan 23, 2000 at 10:53:31PM -0500, Russell Nelson wrote:
> > > 5. Recommendation
> > >
> > > Impose the 40 character limitation specified by RFC1939 into qmail.
> > > Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
> >
> > I don't recommend applying that patch. Every line of it is wrong. It
> > makes qmail-popup less secure, by inserting a call to syslog(), which
> > is a security disaster. It also sucks in the string library, which
> > includes the well-known security hole sprintf().
> >
> > --
> > -russ nelson <[EMAIL PROTECTED]> http://russnelson.com
> > Crynwr sells support for free software | PGPok | "Ask not what your country
> > 521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
> > Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | do for you..." -Perry M.
> >
