At 06:18 PM 5/24/2005, Mike wrote:
Hi all,
I just came across this security advisory from Gentoo Linux today and was
wondering whether these vulnerabilities affect the latest release (4.0.8)
of Qpopper. This is the first time in a VERY long time that I've seen a
security advisory affected Qpopper so kudos to the developers for that.
I've checked the changelog at
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Changes and didn't find
any notes describing fixes of the vulnerabilities similar to those
described in the security advisory below (not dropping privileges to
process local files from normal users (CAN-2005-1151) and creating group
or world writeable files (CAN-2005-1152).)
So,
1. Does Qpopper 4.0.8 from
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/ have the
vulnerabilities described in the Gentoo security advisory or is this a
Gentoo-specific issue?
2. If not, how long before we can expect a new release to address the
vulnerabilities below.
The issue was addressed in the recent releases (including 4.0.8). Unless
you were using per-user config files ('set user-options' in a config file),
no risk existed.