Hello all,

I just came across this security bulletin that affects qmail:
https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt

“TLDR: In 2005, three vulnerabilities were discovered in qmail but were
never fixed because they were believed to be unexploitable in a default
installation. We recently re-discovered these vulnerabilities and were
able to exploit one of them remotely in a default installation.”

If I understand correctly, it can be mitigated by:

- using softlimit to restrict process memory limit, even on qmail-local
- configure databytes to limit email message size.

or by applying the patches included in the article linked above. 

Is this patch something that should be included in QMT?

How to add soft limit to qmail-local?

Quinn

Reply via email to