On Oct 29, 2014, at 16:54, Mark Martinec <mark.martinec...@ijs.si> wrote:
> 2014-10-29 16:26, Joe Acquisto-j4 wrote: >> Comments on the ZD net article that claims shellshock exploit via >> crafty SMTP headers? Just asking, that's all . . . >> I attached a link to it below, please excuse if that is improper behavior. >> http://www.zdnet.com/shellshock-attacks-mail-servers-7000035094/ > > I have seen one such sample. Must be a really dumb mail delivery agent > or a content filter or a MUA that lets a mail header touch a shell. > > No matter whether bash is patched or not, tainted data from a mail > message must never be handed over to shell. > > Mark In the wikipedia article on shellshock qmail is mentioned. See also http://www.gossamer-threads.com/lists/qmail/users/138578 /rolf