mailing list archives
Re: Security hole in imapd - pine 3.96 affected?
From: aleph1 () DFW NET (Aleph One)
Date: Wed, 9 Apr 1997 01:33:32 -0500
| From mrc () cac washington edu Tue Apr 8 09:26:34 1997
| Date: Tue, 4 Mar 1997 15:22:05 -0800
| From: Mark Crispin <mrc () cac washington edu>
| To: pine-info () cac washington edu
| Subject: Re: Pine 3.96
| On 4 Mar 1997, Jody Housman wrote:
| > After building 3.96, I checked log_std.c code, and it appears to be the
| > same as what SNI calls the flawed code. Has the security hole been fixed
| > in some other way such as increasing the size of the username buffer?
| Yes. Instead of changing the flawed code, there is a booby trap in 3.96
| to catch people who try to exploit it. Attempts to trigger the security
| hole will never get to the flawed code, but will cause a "Crack attempt"
| syslog alert. Also, the advertised banner did not change in 3.96, to make
| it difficult for a bad guy to tell the difference between a vulnerable
| 3.95 server and a non-vulnerable 3.96 server.
| Perhaps knowledge this might deter bad guys from trying to exploit this
| bug. Then again, those of us who have a life have a hard time in
| fathoming the thought processes of those who do not.
| In the as-yet unreleased Pine 4.0 (and the current released imap-4.1
| toolkit), the banners changed, so there seemed to be no point in having
| the booby trap. The flawed code is gone entirely in this version.
| Unless you have a special reason to continue to run IMAP2bis based
| servers, I recommend that you run the servers in the imap-4.1 toolkit:
| since this version supports IMAP4rev1 and POP3 with UIDL.
| -- Mark --
| Unsolicited commercial email is NOT welcome at this email address.
- Re: Security hole in imapd - pine 3.96 affected? Aleph One (Apr 09)