Re: Qpop CERT advisory?

[esiewick digipro com (Edward Siewick)]

>Originally it seemed only linux was affected. In the intervening weeks I've
>seen someone post a freeBSD version and yesterday one for SCO (although
>come to think of it that one may not have been qpopper, but whatever pop3
>SCO ships with).

Qpopper is derived from the Berkeley popper.

SCO v3.2r4.2 shipped with a pop3d;
SCO v3.2r5.0 ships with 'popper.'  The CERT thing mentioned:

     Some SCO Operating systems are vulnerable. Patches are currently
     being developed and should be available soon.

We use qpopper on several Linux, SCO, Solaris and HP/UX servers; we just did
them all.


> What I can't believe is how long CERT advisories take to come out these
> days. If I would have waited until I got this one before I patched the one
> box I had that was affected I would have been hacked about 3 times.

I have to wonder about the CERT announcement timing policy.  Anybody know
how they decide when to announce?  At the least, there's a delay of days
while the vendors are contacted with respect to patches and such.  Usually,
Sun has its act together; SCO is "looking into it" or "working on patches"
or some other sort of vague comment.

Edward Siewick
-- 
  ESiewick DigiPro com               DigiPro Digital Productions, LLC
  Voice:  703-522-8465                   3100 North Quincy Street
  Fax:    703-522-8417                  Arlington, Virginia  22207