Am Donnerstag, den 25.09.2014, 20:56 -0400 schrieb Sam Varshavchik:
> Ángel González writes:
>
> > Sam Varshavchik wrote:
> > > > And is Courier affected by the “follow-up” CVE-2014-7169?
> > >
> > > I don't think the follow-up exploit is in scope. To use the follow-up
> > > explot, so far, you need to somehow stuff the ">" character into an
> > > email address.
> > >
> > > This is going to be a problem, since the > character terminates the
> > > MAIL FROM or the RCPT TO command. So, I'm not worried about it.
> >
> > courier accepts CVE-2014-7169 poc in the EHLO
>
> That's not enough. This has to make it into some bash process's initial
> environment.
>
> It's not going to make it into the shell that runs .courier delivery
> commands.
What if I have
DEFAULTDELIVERY="| /usr/bin/maildrop"
in /etc/courier/courierd? Will the EHLO string be passed to a shell in
this case?
All the best,
Wolfgang
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
