drtebi
n00b
Joined: 20 Mar 2003
Posts: 44
Location: San Francisco
|
 Posted: Mon Apr 23, 2007 5:51 am Post subject: Courier-IMAP: Remote execution of arbitrary code in ver. 3?? |
 |
|
Please don't bash me, I have just gone through quite some trouble trying to upgrade courier-imap, and couldn't really find solutions anywhere.
Today when the security announcement was made (https://forums.gentoo.org/viewtopic-t-554882.html), I figured I will do
| Code: |
emerge --sync
emerge net-mail/courier-imap
|
Once done, POP3 and IMAP were dead. I realized that the authdaemond package is "no longer distributed" when reading the install messages. Well, since I did use "authvchkpw" I guess I did have to have it. I read about relay-ctrl. Thought I could give it a shot. I have all user/password info in a mysql db, so I did have to emerge courier-imap again with USE="mysql". The "--pretend" output was a list of 15 ebuilds I don't want or that would break my system etc. I am starting to loose my faith in emerge.
Long story short, I downgraded to courier-imap-3.0.8.
I have read the bug report about this security issue (https://bugs.gentoo.org/show_bug.cgi?id=168196), and apparently there is a problem with some bash script /usr/lib/courier-imap/courier-pop3d.indirect. Well, it seems like this script does not exist in version 3.08.
So here now finally my question: Should I be concerned? Am I vulnerable using courier-imap version 3.08?
Thanks in advance
_________________
"I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones." -- Albert Einstein |
|
Networking & Security
