15 Jun
2000
15 Jun
'00
10:31
Hi, we are concerned about some security issues of the program Qpop which is part of the "pop" package of serial n1. Until SuSE 6.2 Qpop 2.53 has been part of this package which is infamous for some security holes, including the ability for remote users with a valid (mail-) account to gain access to the mail host via shell with GID "mail". This would allow r/w to all mail spools and more nasty things. The authors of Qpop state quite clearly on their website (www.eudora.com/qpopper/) that Qpop versions <= 3.0.x should _not_ be used in productive Linux environments because of the known bux. Will the package "pop" be updated accordingly? Regards, Boris Lorenz <bolo@lupa.de> (SysAd) --- Landwehr & Partner ---