Thus said "D. J. Bernstein" on 01 Mar 2001 02:27:37 GMT:
> http://www.securityfocus.com/bid/2237
``Currently the SecurityFocus staff are not aware of any vendor
supplied patches for this issue.''
Why haven't they updated this? On a properly configured qmail system
this is a non-issue. Why is that not the *fix* that they seek?
> http://www.securityfocus.com/archive/1/6969
Isn't this a repeat of the first? The *exploit* code even looks
similar (if not the same).
> http://www.securityfocus.com/archive/1/6970
Again the same issue which is easily solved by configuring qmail
properly.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0144
More of the same. Maybe they should define what they consider the
OS... Out of curiosity, is this why softlimit was added to the
daemontools package?
> http://www.insecure.org/sploits/qmail.DOS.rcpt.html
Again the same problem...
> http://xforce.iss.net/static/208.php
At least they got the version right here, but still the same problem
which is easily taken care of with proper configuration.
> http://archives.neohapsis.com/archives/postfix/2000-01/1170.html
At least this one is not as dull as the rest. :-)
> If you have seen any of these web pages, or any similar web pages at
> other locations, please send me email with the following information:
I haven't seen any additional pages, but the first three listed I had
seen before. When I first saw the reports I decided to test my current
systems against what was proposed. Each test failed to reproduce the
attack described. I was actually surprised because I wasn't certain
how the systems had been setup (I didn't do the initial configuration
of the systems). Of course it didn't have any effect (other than
closing the connection with a temporary error) on the system. I
suppose an attacker could attempt to exhaust the memory by taking up
all the connections available, however, even this is avoidable by doing
the math.
For example, tcpserver by default will only accept 40 connections.
If each qmail-smtpd is started with softlimit -m 2000000 that comes out
to 80M of RAM that will ever be allocated. On a server with 128M this
won't even touch swap (unless there are other services running on the
server in which case the admin *will* have figured that into the total).
Andy
--
[-----------[system uptime]--------------------------------------------]
11:43pm up 14 days, 23:45, 7 users, load average: 1.22, 1.16, 1.17