I built my QMT a couple of years ago on CentOS 7, and spot checking I see
that softlimits are already applied in the following supervise startup


Additionally, I have a reasonable value in /var/qmail/control/databytes
(I'm 99% certain that QMT sets a value here by default.)

So, as far as I can tell, the RCE issues are already mitigated in
relatively recent QMT installs.

If I am reading the CVE correctly, all of the RCE vulnerabilities can be
mitigated by having a reasonable value in /var/qmail/control/databytes

Have you checked your deployed systems?

I need to dig into how qmail-local is being called, so I can figure out
whether it has softlimits yet, but I need to get my kids to school.  :)


On Tue, May 26, 2020 at 6:07 AM Quinn Comendant <qu...@strangecode.com>

> Hello all,
> I just came across this security bulletin that affects qmail:
> https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
> “TLDR: In 2005, three vulnerabilities were discovered in qmail but were
> never fixed because they were believed to be unexploitable in a default
> installation. We recently re-discovered these vulnerabilities and were
> able to exploit one of them remotely in a default installation.”
> If I understand correctly, it can be mitigated by:
> - using softlimit to restrict process memory limit, even on qmail-local
> - configure databytes to limit email message size.
> or by applying the patches included in the article linked above.
> Is this patch something that should be included in QMT?
> How to add soft limit to qmail-local?
> Quinn

Reply via email to