Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] Qpopper 2.53 remote problem, user can gaingid=mail (fwd)
  • From: "Keith Warno" <keith@xxxxxxxxxxxxxx>
  • Date: Wed, 24 May 2000 14:34:48 -0400
  • Message-id: <000401bfc5ae$bddb23e0$9e0a010a@xxxxxxxxxxx>
Or, perhaps, all can upgrade to qpopper3.0.2

I don't know if the prob still exists. I'm assuming it has been fixed?

Please correct me if I'm wrong.

/* Keith Warno
** Developer & Sys Admin

----- Original Message -----
From: "Roman Drahtmueller" <draht@xxxxxxxxxxxxxxx>
To: <suse-security@xxxxxxx>
Sent: 24 May 2000, Wednesday 14:24
Subject: Re: [suse-security] Qpopper 2.53 remote problem, user can
gaingid=mail (fwd)

As some might have already heard, there's a security problem with qpopper
shipped with SuSE-6.4 (read the message this one refers to).

Until there is an update for the pop package, the problem can be
circumvented by using one of the other pop daemons that come with SuSE:


In order for the other daemon to be used, change the respective line in
/etc/inetd.conf from:

pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popper -s

to read:

pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d

Those pop-daemons are not necessarily capable of the UIDL command, but
browsers should workaround this transparently.

On Wed, 24 May 2000, Peter Münster wrote:

> From: Peter Münster <peter@xxxxxxxxxxxxxxxxxxxxxxx>
> To: SuSE Securitylist <suse-security@xxxxxxxx>, cri-cert@xxxxxxxxxxxxxxx
> Date: Wed, 24 May 2000 19:53:32 +0200 (CEST)
> Subject: [suse-security] Qpopper 2.53 remote problem,
> user can gain gid=mail (fwd)
> Instead of the file pop_msg.c, which should be patched as mentioned in the
> advisory, it seems to be rather pop_uidl.c
> Cheers, Peter

Viele Grüße,
_ _
| Roman Drahtmüller "The best way to pay for a |
CC University of Freiburg lovely moment is to enjoy it."
| email: draht@xxxxxxxxxxxxxxx - Richard Bach |
- -

To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx

< Previous Next >