15 Jun
2000
15 Jun
'00
10:31
Hi,
we are concerned about some security issues of the program Qpop which is part
of the "pop" package of serial n1. Until SuSE 6.2 Qpop 2.53 has been part
of this package which is infamous for some security holes, including the
ability for remote users with a valid (mail-) account to gain access to the mail
host via shell with GID "mail". This would allow r/w to all mail spools and
more nasty things.
The authors of Qpop state quite clearly on their website
(www.eudora.com/qpopper/) that Qpop versions <= 3.0.x should _not_ be used in
productive Linux environments because of the known bux.
Will the package "pop" be updated accordingly?
Regards,
Boris Lorenz