Hello, Anyone have information on whether RedHat-5.0+ is affected by the recent (today's) CERT advisory regarding QPOP? thanks, -bp -- B. James Phillippe <bryan@terran.org> Linux Software Engineer, WGT Inc. http://earth.terran.org/~bryan
On 14-Jul-98 B. James Phillippe wrote:> Hello, > > Anyone have information on whether RedHat-5.0+ is affected by the > recent (today's) CERT advisory regarding QPOP? > > thanks, > -bp > --There's a long thread on Bugtraq (http://www.geek-girl.com/bugtraq/) about it. Just search on qpopper or click on the last quarter's thread. Originally it seemed only linux was affected. In the intervening weeks I've seen someone post a freeBSD version and yesterday one for SCO (although come to think of it that one may not have been qpopper, but whatever pop3 SCO ships with). At any rate, there's a couple versions of exploit code in the thread you should perhaps compile and test out for yourself. What I can't believe is how long CERT advisories take to come out these days. If I would have waited until I got this one before I patched the one box I had that was affected I would have been hacked about 3 times. -mark --- Mark Jeftovic aka: mark jeff or vic, stunt pope. markjr@shmOOze.net http://www.shmOOze.net/~markjr Private World's BOFH http://www.PrivateWorld.com irc: L-bOMb Keep `em Guessing
On Thu, 16 Jul 1998, Levy Carneiro Jr. wrote:> On Tue, 14 Jul 1998, B. James Phillippe wrote: > > Anyone have information on whether RedHat-5.0+ is affected by the > > recent (today's) CERT advisory regarding QPOP? > > This problem is due to qpopper version, not the distribution > version. > If your qpopper server is version 2.4 you must upgrade it.The question was meant to be interpreted: is the POP daemon distributed with RedHat affected by the same exploits? Many people have responded with information that doesn't answer the question. I have also received responses from people stating that the POP with RedHat (imap-4.1) is not affected, and others who say it is. I've tried running two of the exploits I could find on the Bugtraq archive against a RedHat-4.2 system with no success. So the question still stands: is the imap package distributed with RedHat also vulnerable to the qpopper exploit, or any other POP exploit? It doesn't appear to be, but... [mod: James, you have the correct approach: even if you cannot reproduce a vulnerability, assume that it affects you. This is very important. Usually you can find a version number that's supposed to be fixed. Check the version numbers. Some programs are littered with bugs. Once someone finds one bug there will be a flurry of more bugs and more fixes. So don't trust the release notes that say "security bugs fixed". You have to keep an eye on the new releases and the mailing lists. -- REW] -bp -- B. James Phillippe <bryan@terran.org> Linux Software Engineer, WGT Inc. http://earth.terran.org/~bryan
>Originally it seemed only linux was affected. In the intervening weeks I've >seen someone post a freeBSD version and yesterday one for SCO (although >come to think of it that one may not have been qpopper, but whatever pop3 >SCO ships with).Qpopper is derived from the Berkeley popper. SCO v3.2r4.2 shipped with a pop3d; SCO v3.2r5.0 ships with 'popper.' The CERT thing mentioned: Some SCO Operating systems are vulnerable. Patches are currently being developed and should be available soon. We use qpopper on several Linux, SCO, Solaris and HP/UX servers; we just did them all.> What I can't believe is how long CERT advisories take to come out these > days. If I would have waited until I got this one before I patched the one > box I had that was affected I would have been hacked about 3 times.I have to wonder about the CERT announcement timing policy. Anybody know how they decide when to announce? At the least, there's a delay of days while the vendors are contacted with respect to patches and such. Usually, Sun has its act together; SCO is "looking into it" or "working on patches" or some other sort of vague comment. Edward Siewick -- ESiewick@DigiPro.com DigiPro Digital Productions, LLC Voice: 703-522-8465 3100 North Quincy Street Fax: 703-522-8417 Arlington, Virginia 22207