Re: [suse-security] Qpopper 2.53 remote problem, user can gaingid=mail (fwd)

Or, perhaps, all can upgrade to qpopper3.0.2 ftp://ftp.qualcomm.com/eudora/servers/unix/popper/ I don't know if the prob still exists. I'm assuming it has been fixed? Please correct me if I'm wrong. kw /* Keith Warno ** Developer & Sys Admin ** http://www.HaggleWare.com/ */ ----- Original Message ----- From: "Roman Drahtmueller" To: Sent: 24 May 2000, Wednesday 14:24 Subject: Re: [suse-security] Qpopper 2.53 remote problem, user can gaingid=mail (fwd) As some might have already heard, there's a security problem with qpopper shipped with SuSE-6.4 (read the message this one refers to). Until there is an update for the pop package, the problem can be circumvented by using one of the other pop daemons that come with SuSE: /usr/sbin/ipop2d /usr/sbin/ipop3d /usr/sbin/pop3d In order for the other daemon to be used, change the respective line in /etc/inetd.conf from: pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popper -s to read: pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d Those pop-daemons are not necessarily capable of the UIDL command, but browsers should workaround this transparently. On Wed, 24 May 2000, Peter Münster wrote:

From: Peter Münster To: SuSE Securitylist , cri-cert@univ-rennes1.fr Date: Wed, 24 May 2000 19:53:32 +0200 (CEST) Subject: [suse-security] Qpopper 2.53 remote problem, user can gain gid=mail (fwd)

Instead of the file pop_msg.c, which should be patched as mentioned in the advisory, it seems to be rather pop_uidl.c Cheers, Peter

Viele Grüße, Roman. -- _ _ | Roman Drahtmüller "The best way to pay for a | CC University of Freiburg lovely moment is to enjoy it." | email: draht@uni-freiburg.de - Richard Bach | - - --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com