Hi Chris, Thanks for the analysis. My understanding is the same.
I think the main concern is regarding memory limits placed on qmail-local. I don't know how to apply softlimits there. Quinn On 26 May 2020 08:17:08, Chris wrote: > I built my QMT a couple of years ago on CentOS 7, and spot checking I > see that softlimits are already applied in the following supervise > startup scripts: > > /var/qmail/supervise/smtp/run > /var/qmail/supervise/submission/run > /var/qmail/supervise/smtps/run > > Additionally, I have a reasonable value in > /var/qmail/control/databytes (I'm 99% certain that QMT sets a value > here by default.) > > So, as far as I can tell, the RCE issues are already mitigated in > relatively recent QMT installs. > > If I am reading the CVE correctly, all of the RCE vulnerabilities can > be mitigated by having a reasonable value in > /var/qmail/control/databytes > > Have you checked your deployed systems? > > I need to dig into how qmail-local is being called, so I can figure > out whether it has softlimits yet, but I need to get my kids to > school. :) > > -Chris > > On Tue, May 26, 2020 at 6:07 AM Quinn Comendant > <[email protected]> wrote: >> Hello all, >> >> I just came across this security bulletin that affects qmail: >> https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt >> >> “TLDR: In 2005, three vulnerabilities were discovered in qmail but were >> never fixed because they were believed to be unexploitable in a default >> installation. We recently re-discovered these vulnerabilities and were >> able to exploit one of them remotely in a default installation.” >> >> If I understand correctly, it can be mitigated by: >> >> - using softlimit to restrict process memory limit, even on qmail-local >> - configure databytes to limit email message size. >> >> or by applying the patches included in the article linked above. >> >> Is this patch something that should be included in QMT? >> >> How to add soft limit to qmail-local? >> >> Quinn
