Package: vpopmail-bin Severity: grave Tags: security vpopmail has a couple of security holes:
CAN-2004-2239 a buffer overflow in vsybase.c Originally reported here: http://archives.neohapsis.com/archives/bugtraq/2004-08/0226.html Confirmed by author as fixed in cvs here: http://archives.neohapsis.com/archives/bugtraq/2004-08/0286.html Unknown whether this is really exploitable CAN-2004-2238 format string overflow in vsybase.c Probably not a real security hole, see http://archives.neohapsis.com/archives/bugtraq/2004-08/0264.html But should be checked. Finally, the reason this bug is grave, vpopmail's author says that version 5.4.6 contains fixed for SQL injection vulnerabilities which "made it possible for a remote attacker to insert additional SQL commands into data passed into POP/IMAP login, SMTP AUTH, or a QmailAdmin login." http://archives.neohapsis.com/archives/bugtraq/2004-08/0286.html This last hole does not seem to have been assigned a CAN number. -- see shy jo
signature.asc
Description: Digital signature