Courier-MTA spf.c DoS vuln - fixed?

dephzon · n00b Joined: 27 Nov 2003 Posts: 7

Hi!

Did I miss it - or isn't there an patch available for the actual courier instance in portage?

The actual courier instance in portage has IMHO an DoS vulnerability in spf.c.

my courier says:

hostname ~ # courier --version
Courier 0.48.1 Copyright 1999-2004 Double Precision, Inc.

The actual fixed version is - AFAIK 0.50.1. I think it is not that critical - I am just not sure wether this issue is fixed or not - anyone knows?

EDIT: Advisory here: http://secunia.com/advisories/15901/

bye
dephzon

kashani · Posted: Thu Jul 07, 2005 3:44 pm Post subject:

Hmmm 0.50.1 isn't in portage yet and 0.50.0 is still masked. It looks like you'll need to either disable SPF which should be off by default according to the Courier docs or try to add this patch to 0.48.1 or 0.50.0. That might not be easy.

http://sourceforge.net/mailarchive/forum.php?thread_id=7643256&forum_id=6705

There appear to be some work on the bug in bugzilla.
https://bugs.gentoo.org/show_bug.cgi?id=97915

kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape.