4.0.7 certainly had the fix, as I did some testing to verify it on Linux. Randall probably would know better where the code first was merged in.
4.0.8 also has it. See my other note for the limited case where it was even an issue. Most ISP implementations of qpopper likely were never vulnerable at all.
Thanks. I read through the changes too quickly as Tim pointed out that I missed the following in the changes from 4.0.5 to 4.0.6:
25. Process user and spool config files as user, not as root (fix security hole reported by Jens Steube)
