This may be a well known thing that I just haven't stumbled on yet, but why does ftp://ftp.qualcomm.com/eudora/servers/unix/popper/ not have an md5 file? Maybe I'm being paranoid and expecting this in the wrong place.
I'll keep looking.
Gerald
P.S. Anyone want to take up maintainership of the FreeBSD port? http://www.freshports.org/mail/qpopper/
On Mon, 25 Apr 2005, Randall Gellens wrote:
Date: Mon, 25 Apr 2005 16:10:54 -0700 From: Randall Gellens <[EMAIL PROTECTED]> To: Qpopper Public List <qpopper@lists.pensive.org>, [EMAIL PROTECTED] Subject: Qpopper 4.0.6 (final) available *** FIXES SECURITY ISSUES ***
Qpopper 4.0.6 (final) is available at <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/>.
The full list of changes from one release to the next is on the FTP site, at <ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Changes>.
Note that this release fixes several security-related issues. All users of Qpopper are strongly encouraged to upgrade to this release.
*** If you can't immediately upgrade, please disable user-writable configuration files (configuration files in the home directory or in some cases in the spool directory) ***
User configuration files are enabled with '-u' or '-U' (for home and spool directories) command-line options, or with the 'user-options' or 'spool-options' options in a configuration file. (Note that in all cases, the spool configuration file should not be made user-writable, but you should verify this with permissions.)
This version enables XTND XMIT to be disabled. Users are strongly encouraged to use SMTP AUTH rather than XTND XMIT. To reduce the risk of users injecting spam, please disable XTND XMIT if possible. XTND XMIT is disabled by the '-x' command-line option, or the 'xtnd-xmit' option in a configuration file.
Changes from 4.0.5 to 4.0.6: ---------------------------- 1. Minor fixes for true64. 2. Patch from Uli Zappe to fix SCRAM compilation bugs. 3. Minor fixes for true64. 4. poppassd now runs smbpasswd as user, not root, to avoid exploit 5. Remove -traditional-cpp from the compiler options for Darwin builds (otherwise build fails) 6. Open stdout and stderr as O_WRONLY instead of O_RDONLY so that should anything actually be written to them it will show up 7. When configured as --with-pam and required, include <pam/pam_appl.h> instead of <security/pam_appl.h> (otherwise build fails) 8. strdup the pw.pw_name field from getpwnam so that it's still valid by the time genpath is called; also added corresponding free (without this fix when the bug manifests, clients are erroneously told there are 0 messages in the mail drop regardless of the actual number) 9. Add a pam bug workaround at the beginning of main to do a pam_start and pam_end immediately when the program starts up in order to avoid bogus authentication failed messages from pam_authenticate later (only when configured as --with-pam) [ Thanks to Kyle McKay for changes 5-9 ] 10. Fixed error in configure script for Mac OS / Darwin. 11. Support chained certs for OpenSSL [from Daniel Senie]. 12. Fixes to compile better on Linux [from Daniel Senie]. 13. X-UIDL header no longer written when Update_status_hdrs is false [thanks to Helge Oldach] 14. Now calling SSL_shutdown() again if it fails the first time. 15. Now logging TLS errors when compiled with debugging and debug is enabled (instead of either) [thanks to Maks N. Polunin]. 16. Config file now always closed (not just on error). 17. When using pam, Kerberos tickets are now destroyed. Otherwise dead tickets accumulate in cache directory which runs out of space quickly on busy server. Problem noted by Rodney McDuff ITS UQ. (Directory permissions on ticket cache dir need to be 1777). 18. Always log "Servicing request" (instead of just when debugging is on). This allows start of pop sessions to be logged always which is useful for diagnosis of problems. 19. Worked around problem on some systems causing SIGALRM to be masked, leaving hung pop processes which should have timed out waiting for a command from the client. [ Thanks to David Shrimpton for changes 16-19 ] 20. Now defaulting to "EXPIRE NEVER" instead of "EXPIRE 0". 21. Fix core dump on 64-bit Solaris 2.8 [thanks to Kenny Nguyen] 22. Log facility set on command line now applies to daemon as well. [Thanks to Helge Oldach] 23. '-y' to set log facility on command line now works again. 24. Allow '-V' as synonym for '-v' (to see version). 25. Process user and spool config files as user, not as root (fix security hole reported by Jens Steube) 26. Added "xtnd_xmit" as a boolean option to permit/deny XTND XMIT and 'x' as a command-line option to disable it. You should disable it unless you really need it, and even then it is better to move to SMTP AUTH. 27. popauth now opens trace file as user, not root (fix security hole reported by Jens Steube); also umask now set. 28. Fix race crash on FreeBSD (thanks to Martin Haller). 29. Resolve some compiler warnings. 30. Fix check for libcrypt on FreeBSD. 31. Added sample pam configuration file (also installed by 'make install') 32. Use generic error msg and sleep in more auth failure cases. 33. Added code to use mkstemp() instead of our perfectly safe usage of tempnam() because some compilers issue overly broad warnings implying that all uses of tempnam() are unsafe. To bypass, use '--enable-tempnam' with ./configure.
-- Randall Gellens Opinions are personal; facts are suspect; I speak for myself only -------------- Randomly-selected tag: --------------- Algol was a great improvement on most of its successors. --C.A.R Hoare
