On 06/04/2011 12:59, Matt Sergeant wrote:
No takers? I do consider the bug fairly minor (it's not like a remote root
or anything)... But still?
Matt, thanks for this simple and straightforward fix. Even I understand it ;-)
Jared Johnson wrote:
I ... disagree. From my reading of plugins/tls, it looks like there is
no problem at all, in the non-async code path. It resets STDIN and
STDOUT to a socket created from scratch by the IO::Socket::SSL module.
I haven't looked at IO::Socket::SSL to see if it has this sort
I've been otherwise occupied but I forwarded this to the rest of our dev
team and our resident security guru had this to say
Original Message
Subject: Re: [Fwd: STARTTLS vulnerabilty and qmail-spamcontrol ucspi-ssl
qpsmtpd]
From:Peter
No takers? I do consider the bug fairly minor (it's not like a remote
root or anything)... But still?
Matt Sergeant wrote:
I'm forwarding this to the list since I didn't get a response from Ask...
The problem here is when someone sends the following packet:
STARTTLS\nSOME_COMMAND\n
The
I'm forwarding this to the list since I didn't get a response from Ask...
The problem here is when someone sends the following packet:
STARTTLS\nSOME_COMMAND\n
The SOME_COMMAND bit gets cached internally (in PollServer/async that's
in $qp-{line}, but in the other implementations I have no