Package: vpopmail-bin Severity: grave Tags: security vpopmail has a couple of security holes:
CAN-2004-2239 a buffer overflow in vsybase.c
Originally reported here:
http://archives.neohapsis.com/archives/bugtraq/2004-08/0226.html
Confirmed by author as fixed in cvs here:
http://archives.neohapsis.com/archives/bugtraq/2004-08/0286.html
Unknown whether this is really exploitable
CAN-2004-2238 format string overflow in vsybase.c
Probably not a real security hole, see
http://archives.neohapsis.com/archives/bugtraq/2004-08/0264.html
But should be checked.
Finally, the reason this bug is grave, vpopmail's author says that
version 5.4.6 contains fixed for SQL injection vulnerabilities which
"made it possible for a remote attacker to insert additional SQL
commands into data passed into POP/IMAP login, SMTP AUTH, or a
QmailAdmin login."
http://archives.neohapsis.com/archives/bugtraq/2004-08/0286.html
This last hole does not seem to have been assigned a CAN number.
--
see shy jo
signature.asc
Description: Digital signature
