Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] Qpopper 2.53 remote problem, user can gain gid=mail (fwd)
  • From: Roman Drahtmueller <draht@xxxxxxxxxxxxxxx>
  • Date: Wed, 24 May 2000 20:24:24 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0005241956480.27006-100000@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

As some might have already heard, there's a security problem with qpopper
shipped with SuSE-6.4 (read the message this one refers to).

Until there is an update for the pop package, the problem can be
circumvented by using one of the other pop daemons that come with SuSE:

/usr/sbin/ipop2d
/usr/sbin/ipop3d
/usr/sbin/pop3d

In order for the other daemon to be used, change the respective line in
/etc/inetd.conf from:

pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popper -s

to read:

pop3 stream tcp nowait root /usr/sbin/tcpd ipop3d

Those pop-daemons are not necessarily capable of the UIDL command, but
browsers should workaround this transparently.


On Wed, 24 May 2000, Peter Münster wrote:

> From: Peter Münster <peter@xxxxxxxxxxxxxxxxxxxxxxx>
> To: SuSE Securitylist <suse-security@xxxxxxxx>, cri-cert@xxxxxxxxxxxxxxx
> Date: Wed, 24 May 2000 19:53:32 +0200 (CEST)
> Subject: [suse-security] Qpopper 2.53 remote problem,
> user can gain gid=mail (fwd)
>
>
> Instead of the file pop_msg.c, which should be patched as mentioned in the
> advisory, it seems to be rather pop_uidl.c
> Cheers, Peter
>
>




Viele Grüße,
Roman.
--
_ _
| Roman Drahtmüller "The best way to pay for a |
CC University of Freiburg lovely moment is to enjoy it."
| email: draht@xxxxxxxxxxxxxxx - Richard Bach |
- -





< Previous Next >
References