Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: cryblood on January 26, 2000, 01:58:50 AM

Title: qmail insecure???
Post by: cryblood on January 26, 2000, 01:58:50 AM

I recently ran across a report that there is a possible exploit for qmail that allows someone to gain root privliges remotely,  information can be found at www.ktwo.ca/security.html.  I was wondering if e-smith was affected by this.  I tried to look at the advisory and figure it out but was unfamiliar with some of the things it contained.  

will be looking forward to a reply.

thanx.

Title: RE: qmail-pop3 insecure???
Post by: Charlie Brady on January 26, 2000, 02:10:51 AM

cryblood wrote:

> I recently ran across a report that there is a possible exploit
> for qmail that allows someone to gain root privliges remotely,
> information can be found at www.ktwo.ca/security.html.  I was
> wondering if e-smith was affected by this.  I tried to look at
> the advisory and figure it out but was unfamiliar with some of
> the things it contained.

The exploit is not for qmail, but for qmail-pop3  (a POP-3 server) used with vchkpw, a third party modular authentication checker. The e-smith server and gateway does not use this combination, and is not vulnerable.

Charlie

Title: RE: qmail-pop3 insecure???
Post by: Charlie Brady on January 26, 2000, 03:11:19 AM

Charlie Brady wrote:

> The exploit is not for qmail, but for qmail-pop3  (a POP-3
> server) used with vchkpw, a third party modular authentication
> checker.

Actually, to be completely accurate, the expolit is of vchkpw, which is accessible via qmail-pop3, if they are used together.

It's still not a problem for us :-)

Charlie

Title: RE: qmail-pop3 insecure???
Post by: cryblood on January 26, 2000, 03:45:26 AM

YYYAAAYYY!!!
 
Once again my beloved e-smith server proves to be secure and wonderful!

just wait till I tell microsoft boy! (boss)