[1503] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Is qpopper vulnerable?? Re: CERT Advisory CA-97.09 - Vulnerability in IMAP and POP

daemon@ATHENA.MIT.EDU (Edward Siewick)
Wed Apr 9 02:03:46 1997

From: esiewick@digipro.com (Edward Siewick)
To: linux-security@redhat.com
Date: Tue, 8 Apr 1997 11:00:15 -0400 (EDT)
In-Reply-To: <Pine.SUN.3.96.970407232421.18286B-100000@eskimo.com> from "Daniel Pewzner" at Apr 7, 97 11:33:35 pm
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

Daniel Pewzner & Co.,

>  I've got qualcomm's qpopper2.2, and am not sure if its vulnerable.  The
>advisory mentions pop and imap servers, but only says:
>
>     version of IMAP (Section B).  If your POP server is based on the
>     University of Washington IMAP server code, you should also upgrade to
>     the latest version of IMAP. Until you can take one of these actions, 
>
>I installed the new imapd about 3 weeks ago.  I'm just uptight that the
>qualcomm qpopper may be vulnerable too.  Has anyone with the ability to
>disect the code taken a good look?  Thanks, Dan


The answer I received from QualComm's Praveen Yaramada was:

>qpopper is NOT prone to the problem specified in CA-97.09.
>
>>You've probably been asked this a few times already.  But is qpop
>>vulnerable to the "buffer overflow" problem described in today's CERT
>>Advisory CA-97.09 concerning imapd, ipop2d, and ipop3d?  
>
>Thanks for the quick reply.  You might want to send a quick note to CERT
>asking them to add a reference to qpopper to their advisory.  It might
>prevent your seeing a lot more of these notes.  Just a thought.

Edward Siewick


-- 
  ESiewick@DigiPro.com               DigiPro Digital Productions, LLC
  Voice:  703-522-8465                   3100 North Quincy Street
  Fax:    703-522-8417                  Arlington, Virginia  22207


home help back first fref pref prev next nref lref last post