Am Donnerstag, den 25.09.2014, 20:56 -0400 schrieb Sam Varshavchik: > Ángel González writes: > > > Sam Varshavchik wrote: > > > > And is Courier affected by the “follow-up” CVE-2014-7169? > > > > > > I don't think the follow-up exploit is in scope. To use the follow-up > > > explot, so far, you need to somehow stuff the ">" character into an > > > email address. > > > > > > This is going to be a problem, since the > character terminates the > > > MAIL FROM or the RCPT TO command. So, I'm not worried about it. > > > > courier accepts CVE-2014-7169 poc in the EHLO > > That's not enough. This has to make it into some bash process's initial > environment. > > It's not going to make it into the shell that runs .courier delivery > commands.
What if I have DEFAULTDELIVERY="| /usr/bin/maildrop" in /etc/courier/courierd? Will the EHLO string be passed to a shell in this case? All the best, Wolfgang ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users