[linux-security] Re: IMAPD fix for RH

[Bill Dimmick <bfdimmic eos ncsu edu>]

On Mon, 20 Jul 1998 djb redhat com wrote:

> 
> > It appears that uninstalling the imap rpm uninstalls the pop mail service as
> > well, or at least disables it.  Is this uncool?  Is it safe to leave it
> > installed (but removed from inetd.conf) for the sake of keeping pop service in
> > place?
> 
> I'm not sure, actually.  The POP code comes from the imap package, so
> presumably you need to updated it *all* if you use any of it to make
> sure you are safe from attack.  
> 

	Actually, as far as I know, the attack is isolated to imapd,
not the pop3 daemon.  Even though you guys bundle these together, I think
disabling imapd in /etc/inetd.conf is enough, because that denies an
attacker access to the service exploited.

	Does the POP3 use any of the same insecure code as the IMAP?

> I'd just update the package to the latest one and leave imap enabled.

	OR update and take IMAP out if you don't need it...one less thing
on the teets of the CPU.

	-BFD-
	
------------------------------------------------------------------------
[Bill Dimmick]  [http://www4.ncsu.edu/~bfdimmic] [bfdimmic eos ncsu edu]
"No boom today, boom tomorrow, there is always a boom tomorrow...What?!
      Look, somebody's got to have some damn perspective around here...
      Sooner or later...BOOM!!"  -Ivonova, Babylon 5 [Grail]
------------------------------------------------------------------------