On Wed, Dec 26, 2018 at 05:20:40PM +0100, Magnus Holmgren wrote:
> > CVE-2018-19518[0]:
> > | University of Washington IMAP Toolkit 2007f on UNIX, as used in
> > | imap_open() in PHP and other products, launches an rsh command (by
> > | means of the imap_rimap function in c-client/imap4r1.c and the
> > | tcp_aopen function in osdep/unix/tcp_unix.c) without preventing
> > | argument injection,
>
> I'm wondering if anyone would complain if I'd disable RSH (SSH) connections
> altogether.
Full ack, that seems like the most sensible fix.
Cheers,
Moritz
