Hi,

we are concerned about some security issues of the program Qpop which is

of the "pop" package of serial n1. Until SuSE 6.2 Qpop 2.53 has been

of this package which is infamous for some security holes, including the ability for remote users with a valid (mail-) account to gain access to

1. I downloaded Qpopper 3.02 from www.eudora.com, but was not required to acknowledge any licence. So, there might be a difference between the licence text and actual practice by qualcomm. 2. Thomas, you listed "patch" and "drop" as only options. But wouldn't it be an option to include qpopper 3.02 in series "commercial software". Or anything, which is not installed by default, but a user could install manually. 3. As I understand from Qualcomm's release notes, V 3.02 does not only fix known security deficiencies, but lines up new defenses agains buffer overflow exploits. Hence it should be inherently more secure than Suse's patched 2.53. Although I acknowledge your efforts to fix qpopper 2.53, you should make it clear to users, that this is not the technically best solution. Brgds Rainer Thomas Biege <thomas@suse.de> Sent by: suse-security-return-1955-rhoerbe=netpromote.co.at@suse.com 15.06.00 18:53 To: bolo@lupa.de cc: suse-security@suse.com Subject: Re: [suse-security] Qpop versions pre 2.53 Hi, On Thu, 15 Jun 2000 bolo@lupa.de wrote: part part the mail

host via shell with GID "mail". This would allow r/w to all mail spools and more nasty things.

The authors of Qpop state quite clearly on their website (www.eudora.com/qpopper/) that Qpop versions <= 3.0.x should _not_ be used in productive Linux environments because of the known bux.

Will the package "pop" be updated accordingly?

AFAIK does the eudora license deny us to ship qpop 3.x. So, we have two options: 1) patch it 2) drop it. We patched 2.53, so all known bugs were fixed. You could use _our_ 2.53 update or install qpop 3.x from eudora. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47 --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com