subject:"Re\: qpopper vulnerability\?"

Re: qpopper vulnerability?

1999-03-11 Thread Bruce Guenter


On Tue, Mar 09, 1999 at 12:28:04PM -0700, John Gonzalez/netMDC admin wrote:
 has anyone messed with the popbull feature with virtual domains or the
 vmailmgrd patch?

vmailmgrd as of version 0.86 has had this feature built in.
-- 
Bruce Guenter, QCC Communications Corp.  EMail: [EMAIL PROTECTED]
Phone: (306)249-0220   WWW: http://www.qcc.sk.ca/~bguenter/

Re: qpopper vulnerability?

1999-03-10 Thread Russell Nelson


Aaron L. Meehan writes:
  Well, the qmail popbull patch works a bit differently, since it counts
  on the access time of the user's Maildir vs the creation time of the
  actual bulletin file to determine whether they should get the bulletin
  (as far as I can remember).

And as it turns out, that's insufficient to the task.

  One drawback of the ~/.popbull method would be a few thousand more
  inodes used.. among other things.

Actually, an empty file isn't assigned an inode.  It's just a
directory entry.

-- 
-russ nelson [EMAIL PROTECTED]  http://crynwr.com/~nelson
Crynwr supports Open Source(tm) Software| PGPok |   There is good evidence
521 Pleasant Valley Rd. | +1 315 268 1925 voice |   that freedom is the
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX   |   cause of world peace.

Re: qpopper vulnerability?

1999-03-09 Thread Peter van Dijk


On Tue, Mar 09, 1999 at 11:23:47AM +0300, [EMAIL PROTECTED] wrote:
 On Tue, Mar 09, 1999 at 01:34:36AM +0100, Peter van Dijk wrote:
 
 [ssnip]
 
   Is qmail-popup (or any other program involved due to qmail's POP3
   iterface design) known to be exploitable?
  
  No, DJB's code has always been perfectly exploit-free as far as I know. qmail-popup
  and qmail-pop3d are in _no_ _way_ related to qpopper.
 
 [ssnip]
 
 and the latest betas of qpopper are also exploit-free.

rephrase: no bugs have been found... after the amount of bugs found in previous
qpopper releases, I don't trust it.

Greetz, Peter.
-- 
.| Peter van Dijk   | mo|VERWEG stoned worden of coden
.| [EMAIL PROTECTED]  | mo|VERWEG dat is de levensvraag
| mo|VERWEG coden of stoned worden
| mo|VERWEG stonend worden En coden
| mo|VERWEG hmm
| mo|VERWEG dan maar stoned worden en slashdot lezen:)

Re: qpopper vulnerability?

1999-03-09 Thread John Gonzalez/netMDC admin


On Tue, 9 Mar 1999 [EMAIL PROTECTED] wrote:

-| On Tue, Mar 09, 1999 at 09:56:41AM +0100, Peter van Dijk wrote:
-|  rephrase: no bugs have been found... after the amount of bugs found in previous
-|  qpopper releases, I don't trust it.
-| 
-| okay (: 
-| right you are ... the only thing that makes me use it anyways is it`s
-| bulletinboard feature ...

can you describe the feature?

  ___   _  __   _  
__  /___ ___    /__  John Gonzalez/Net.Tech
__  __ \ __ \  __/_  __ `__ \/ __  /_  ___/ MDC Computers/netMDC!
_  / / / `__/ /_  / / / / / / /_/ / / /__ (505)437-7600/fax-437-3052
/_/ /_/\___/\__/ /_/ /_/ /_/\__,_/  \___/ http://www.netmdc.com
[-[system info]---]
 12:20pm  up 32 days, 19:00,  2 users,  load average: 0.04, 0.06, 0.01

Re: qpopper vulnerability?

1999-03-09 Thread Aaron L. Meehan


This would be the same feature supplied in the popbull patch to
qmail-pop3d available on the qmail.org web site(s).  Namely,
the ability to send a mail bulletin to all users without the need to
deliver a unique message to each mailbox.  I find it quite useful.

Aaron

Quoting John Gonzalez/netMDC admin ([EMAIL PROTECTED]):
 On Tue, 9 Mar 1999 [EMAIL PROTECTED] wrote:
 
 -| On Tue, Mar 09, 1999 at 09:56:41AM +0100, Peter van Dijk wrote:
 -|  rephrase: no bugs have been found... after the amount of bugs found in previous
 -|  qpopper releases, I don't trust it.
 -| 
 -| okay (: 
 -| right you are ... the only thing that makes me use it anyways is it`s
 -| bulletinboard feature ...
 
 can you describe the feature?

Re: qpopper vulnerability?

1999-03-09 Thread John Gonzalez/netMDC admin


has anyone messed with the popbull feature with virtual domains or the
vmailmgrd patch?

On Tue, 9 Mar 1999, Aaron L. Meehan wrote:

-| This would be the same feature supplied in the popbull patch to
-| qmail-pop3d available on the qmail.org web site(s).  Namely,
-| the ability to send a mail bulletin to all users without the need to
-| deliver a unique message to each mailbox.  I find it quite useful.
-| 
-| Aaron
-| 
-| Quoting John Gonzalez/netMDC admin ([EMAIL PROTECTED]):
-|  On Tue, 9 Mar 1999 [EMAIL PROTECTED] wrote:
-|  
-|  -| On Tue, Mar 09, 1999 at 09:56:41AM +0100, Peter van Dijk wrote:
-|  -|  rephrase: no bugs have been found... after the amount of bugs found in 
previous
-|  -|  qpopper releases, I don't trust it.
-|  -| 
-|  -| okay (: 
-|  -| right you are ... the only thing that makes me use it anyways is it`s
-|  -| bulletinboard feature ...
-|  
-|  can you describe the feature?
-| 

  ___   _  __   _  
__  /___ ___    /__  John Gonzalez/Net.Tech
__  __ \ __ \  __/_  __ `__ \/ __  /_  ___/ MDC Computers/netMDC!
_  / / / `__/ /_  / / / / / / /_/ / / /__ (505)437-7600/fax-437-3052
/_/ /_/\___/\__/ /_/ /_/ /_/\__,_/  \___/ http://www.netmdc.com
[-[system info]---]
 12:25pm  up 32 days, 19:05,  2 users,  load average: 0.03, 0.05, 0.00

Re: qpopper vulnerability?

1999-03-09 Thread Aaron L. Meehan


Well, the qmail popbull patch works a bit differently, since it counts
on the access time of the user's Maildir vs the creation time of the
actual bulletin file to determine whether they should get the bulletin
(as far as I can remember).

I'm wondering which method I prefer now.  One drawback of the access
time method is that if the user accesses the mail in another fashion
(we have a imap webmail gateway, for example), or if a technician
needs to access the customer's mail for some reason, then the access
time of the Maildir has been modified and they will never get the
bulletin.. I'll ponder what to do.. One drawback of the ~/.popbull
method would be a few thousand more inodes used.. among other things.

Aaron

Quoting [EMAIL PROTECTED] ([EMAIL PROTECTED]):
 4.3) How does bulletins work :
 During POP session after the authentication by user, server
 copies the bulletins placed in the BULLDIR in to the users
 message spool. Server would figure out the last bulletin
 read by user by placing under users home directory ~/.popbull
 the last bulletin number read. Any bulletin in the BULLDIR
 with number greater than the one in ~/.popbull would
 be copied to users message spool.
 
 
 it works for qpopper, what`s about qmail`s popper - can it do that way too?
 Or it will send to new user old bulls too?

Re: qpopper vulnerability?

1999-03-08 Thread Peter van Dijk


On Mon, Mar 08, 1999 at 09:33:08PM +0100, Matthias Pigulla wrote:
 Hi folks,
 
 In http://www.cert.org/advisories/CA-98.08.qpopper_vul.html you will
 read "CERT Coordination Center has received reports of buffer overflow
 vulnerabilities in some POP servers based on QUALCOMM's qpopper."
 
 Is qmail-popup (or any other program involved due to qmail's POP3
 iterface design) known to be exploitable?

No, DJB's code has always been perfectly exploit-free as far as I know. qmail-popup
and qmail-pop3d are in _no_ _way_ related to qpopper.

Greetz, Peter.
-- 
.| Peter van Dijk   | mo|VERWEG stoned worden of coden
.| [EMAIL PROTECTED]  | mo|VERWEG dat is de levensvraag
| mo|VERWEG coden of stoned worden
| mo|VERWEG stonend worden En coden
| mo|VERWEG hmm
| mo|VERWEG dan maar stoned worden en slashdot lezen:)

Re: qpopper vulnerability?

Re: qpopper vulnerability?

Re: qpopper vulnerability?

Re: qpopper vulnerability?

Re: qpopper vulnerability?

Re: qpopper vulnerability?

Re: qpopper vulnerability?

Re: qpopper vulnerability?

8 matches

Site Navigation

Mail list logo

Footer information