Hi, On Thu, 15 Jun 2000 bolo@lupa.de wrote:
Hi,
we are concerned about some security issues of the program Qpop which is part of the "pop" package of serial n1. Until SuSE 6.2 Qpop 2.53 has been part of this package which is infamous for some security holes, including the ability for remote users with a valid (mail-) account to gain access to the mail host via shell with GID "mail". This would allow r/w to all mail spools and more nasty things.
The authors of Qpop state quite clearly on their website (www.eudora.com/qpopper/) that Qpop versions <= 3.0.x should _not_ be used in productive Linux environments because of the known bux.
Will the package "pop" be updated accordingly?
AFAIK does the eudora license deny us to ship qpop 3.x. So, we have two options: 1) patch it 2) drop it. We patched 2.53, so all known bugs were fixed. You could use _our_ 2.53 update or install qpop 3.x from eudora. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47