[linux-security] Re: Qpop CERT advisory?

["B. James Phillippe" <bryan terran org>]

On Thu, 16 Jul 1998, Levy Carneiro Jr. wrote:

> On Tue, 14 Jul 1998, B. James Phillippe wrote:
> > 	Anyone have information on whether RedHat-5.0+ is affected by the
> > recent (today's) CERT advisory regarding QPOP?
> 	
> 	This problem is due to qpopper version, not the distribution
> version.
> 	If your qpopper server is version 2.4 you must upgrade it.

The question was meant to be interpreted: is the POP daemon distributed
with RedHat affected by the same exploits?  Many people have responded with
information that doesn't answer the question.  I have also received
responses from people stating that the POP with RedHat (imap-4.1) is not
affected, and others who say it is.  I've tried running two of the exploits
I could find on the Bugtraq archive against a RedHat-4.2 system with no
success.  So the question still stands: is the imap package distributed
with RedHat also vulnerable to the qpopper exploit, or any other POP
exploit?  It doesn't appear to be, but...

[mod: James, you have the correct approach: even if you cannot
reproduce a vulnerability, assume that it affects you. This is very
important. Usually you can find a version number that's supposed to be
fixed. Check the version numbers.

Some programs are littered with bugs. Once someone finds one bug there
will be a flurry of more bugs and more fixes. So don't trust the
release notes that say "security bugs fixed". You have to keep an eye
on the new releases and the mailing lists. -- REW]


-bp
--
B. James Phillippe <bryan terran org>
Linux Software Engineer, WGT Inc.
http://earth.terran.org/~bryan