Qpop versions pre 2.53
Hi, we are concerned about some security issues of the program Qpop which is part of the "pop" package of serial n1. Until SuSE 6.2 Qpop 2.53 has been part of this package which is infamous for some security holes, including the ability for remote users with a valid (mail-) account to gain access to the mail host via shell with GID "mail". This would allow r/w to all mail spools and more nasty things. The authors of Qpop state quite clearly on their website (www.eudora.com/qpopper/) that Qpop versions <= 3.0.x should _not_ be used in productive Linux environments because of the known bux. Will the package "pop" be updated accordingly? Regards, Boris Lorenz <bolo@lupa.de> (SysAd) --- Landwehr & Partner ---
Hi, On Thu, 15 Jun 2000 bolo@lupa.de wrote:
Hi,
we are concerned about some security issues of the program Qpop which is part of the "pop" package of serial n1. Until SuSE 6.2 Qpop 2.53 has been part of this package which is infamous for some security holes, including the ability for remote users with a valid (mail-) account to gain access to the mail host via shell with GID "mail". This would allow r/w to all mail spools and more nasty things.
The authors of Qpop state quite clearly on their website (www.eudora.com/qpopper/) that Qpop versions <= 3.0.x should _not_ be used in productive Linux environments because of the known bux.
Will the package "pop" be updated accordingly?
AFAIK does the eudora license deny us to ship qpop 3.x. So, we have two options: 1) patch it 2) drop it. We patched 2.53, so all known bugs were fixed. You could use _our_ 2.53 update or install qpop 3.x from eudora. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
Thomas Biege wrote:
AFAIK does the eudora license deny us to ship qpop 3.x. So, we have two options: 1) patch it 2) drop it.
I can't follow your argument. My interpretation of License.txt in the qpopper 3.0.2 package is that the right to redistribute qpopper unchanged as well as in modified form is granted. Regards, Andreas. ------------------------------------------------------------------------ Andreas Gruenbacher, a.gruenbacher@computer.org Contact information: http://www.bestbits.at/~ag/
On Thu, 15 Jun 2000, Andreas Gruenbacher wrote:
Thomas Biege wrote:
AFAIK does the eudora license deny us to ship qpop 3.x. So, we have two options: 1) patch it 2) drop it.
I can't follow your argument. My interpretation of License.txt in the qpopper 3.0.2 package is that the right to redistribute qpopper unchanged as well as in modified form is granted. AFAIR it says: "user must agree to license prior to installation", which would be only possible with an interactive package install which is a general no-no.
-- with kind regards (mit freundlichem Grinsen), Ruediger Oertel (ro@suse.de) ---------------------------------------------------------- does "DONT PANIC" give a hint ?
On 15 Jun 2000 18:55:06 +0200, Thomas Biege <thomas@suse.de> wrote:
We patched 2.53, so all known bugs were fixed. You could use _our_ 2.53 update or install qpop 3.x from eudora.
So wouldn't it be smart to mark the thin as change/patched somehow, like 2.53p1 ? -- Ralf.Hildebrandt@innominate.de innominate AG networking people fon: +49.30.308806-44 fax: -77 web: http://innominate.de pgp: /pgp/rh
On 16 Jun 2000, Ralf Hildebrandt wrote:
On 15 Jun 2000 18:55:06 +0200, Thomas Biege <thomas@suse.de> wrote:
We patched 2.53, so all known bugs were fixed. You could use _our_ 2.53 update or install qpop 3.x from eudora.
So wouldn't it be smart to mark the thin as change/patched somehow, like 2.53p1 ?
hm, usually we increment the release number (???) behind the version number. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
participants (5)
-
Andreas Gruenbacher -
bolo@lupa.de -
Ralf Hildebrandt -
Ruediger Oertel -
Thomas Biege