At 06:53 PM 5/24/2005, Mike wrote:
At 5/24/2005 03:31 PM, Ken A wrote:
The email you forwarded gives you the answer:
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/qpopper < 4.0.5-r3 >= 4.0.5-r3
versions 4.05-rc3 and up are not vulnerable.
I saw that in the advisory, but it still left me unsure as to whether
non-packaged versions of Qpopper were available because:
1) There are sometimes vulnerabilities in packages that do not exist when
one compiles from source
2) There is no source package with the version 4.0.5-r3
3) The two CVE entries for the vulnerabilities are so new (April 18, 2005)
that the entries do not contain any detail about the vulnerabilities,
suggesting that the vulnerabilities may not have been known when beta two
of Qpopper 4.0.6 was released in Sept. 2004 or even in 4.0.7, which was
released on April 25, 2005.
4.0.7 certainly had the fix, as I did some testing to verify it on Linux.
Randall probably would know better where the code first was merged in.
4.0.8 also has it. See my other note for the limited case where it was even
an issue. Most ISP implementations of qpopper likely were never vulnerable
at all.
