XMailforum is a readonly knowledge archive now.

Registering as a new user or answering posts is not possible anymore.

Might the force be with you, to find here what you are looking for.

2019-09-20 - hschneider, Admin

Cookie Disclaimer: This forum uses only essential, anonymous session cookies (xmailforum*), nothing to be scared of.

XMail Forum [Powered by Invision Power Board]
Printable Version of Topic
Click here to view this topic in its original format
XMail Forum > Announcements > XMail 1.22 released !


Posted by: hschneider Oct 13 2005, 06:53 AM
QUOTE

> There is a possible buffer overflow vulnerability in all versions of XMail
> previous to 1.22. This does not affect the server itself, but the XMail's
> sendmail binary. Since many runs the XMail's sendmail as suid root, the
> issue can be critical, even if not easily exploitable w/out knowing the
> server setup. I'd suggest everyone to update to 1.22 ASAP:

Side note if it wasn't clear. Even the Windows XMail's sendmail is
affected ...



- Davide


The complete list of changes:

QUOTE

  Oct 12, 2005 v 1.22

    *  The POP3 before SMTP authentication is now correctly interpreted as
        real SMTP authentication, by the mean of @@USERAUTH.

    *  'ATTENTION': Fixed a possible cause of buffer overflow in the
        XMail's sendmail binary.

    *  Changed the DNS MX resolution to allow better handling of partially
        broken DNS servers configuations.

Posted by: hschneider Oct 14 2005, 07:27 AM
Recommended for OpenBSD users: http://www.xmailserver.org/xmail-1.23-pre01.tar.gz

QUOTE

> You're the best!
> > It works perfeclty now. Even the stuck mails from the previous build are
> > delivered instantly.
> >
> > Can you tell which problem caused this behavious? Something thread related ?

The gethostby{name,addr}_r are not available, so XMail was using the ones
w/out the _r, that are not intrinsicly thread safe. This because
the first BSD port (FreeBSD) was serializing and handling safety
correctly. Eventually not all BSDs do, that might have triggered problems
with threading.


Symptoms for this were sporadic coredumps, mails hanging in the queue without being delivered, long response times of SMTP, SMAIL and POP threads, frozen pop3link connections.

Posted by: hschneider Oct 14 2005, 08:56 AM
The iDefense report on this exploit is available here:
http://www.idefense.com/application/poi/display?id=321&type=vulnerabilities&flashstatus=true

All this is fixed in 1.22 !

Posted by: pgs Oct 15 2005, 03:46 PM
Just a question: Is the debian package update on the way?

regards, pgs

Posted by: hschneider Oct 15 2005, 08:57 PM
Sorry - I'm not in contact with the maintainer. You can compile it from the source tarball on any Linux platform!

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)