Closed TopicStart new topicStart Poll

> XMail 1.22 released !, An urgently recommendend security upd.!
hschneider
Posted: Oct 13 2005, 06:53 AM
Quote Post


No - I'm not an answering script ...
Group Icon

Group: Admin
Posts: 6631
Member No.: 195
Joined: 19-June 02



QUOTE

> There is a possible buffer overflow vulnerability in all versions of XMail
> previous to 1.22. This does not affect the server itself, but the XMail's
> sendmail binary. Since many runs the XMail's sendmail as suid root, the
> issue can be critical, even if not easily exploitable w/out knowing the
> server setup. I'd suggest everyone to update to 1.22 ASAP:

Side note if it wasn't clear. Even the Windows XMail's sendmail is
affected
...



- Davide


The complete list of changes:

QUOTE

  Oct 12, 2005 v 1.22

    *  The POP3 before SMTP authentication is now correctly interpreted as
        real SMTP authentication, by the mean of @@USERAUTH.

    *  'ATTENTION': Fixed a possible cause of buffer overflow in the
        XMail's sendmail binary.

    *  Changed the DNS MX resolution to allow better handling of partially
        broken DNS servers configuations.


--------------------
Bye,
Harald


-- Download XMail Queue Manager 1.46 NOW: XMail Server Tools
-- Cross platform remote queue management!
-- Message analyzing on the fly!
-- Builtin diagnostics knowledge base!
-- Manages multiple mail queues!

Sponsored by
CD-Produktion und DVD-Produktion and Homestaging Saarland - Immobilien schneller verkaufen in der Region Saarland, Rheinland-Pfalz und Luxembourg
PMEmail PosterUsers Website
Top
hschneider
Posted: Oct 14 2005, 07:27 AM
Quote Post


No - I'm not an answering script ...
Group Icon

Group: Admin
Posts: 6631
Member No.: 195
Joined: 19-June 02



QUOTE

> You're the best!
> > It works perfeclty now. Even the stuck mails from the previous build are
> > delivered instantly.
> >
> > Can you tell which problem caused this behavious? Something thread related ?

The gethostby{name,addr}_r are not available, so XMail was using the ones
w/out the _r, that are not intrinsicly thread safe. This because
the first BSD port (FreeBSD) was serializing and handling safety
correctly. Eventually not all BSDs do, that might have triggered problems
with threading.


Symptoms for this were sporadic coredumps, mails hanging in the queue without being delivered, long response times of SMTP, SMAIL and POP threads, frozen pop3link connections.



--------------------
Bye,
Harald


-- Download XMail Queue Manager 1.46 NOW: XMail Server Tools
-- Cross platform remote queue management!
-- Message analyzing on the fly!
-- Builtin diagnostics knowledge base!
-- Manages multiple mail queues!

Sponsored by
CD-Produktion und DVD-Produktion and Homestaging Saarland - Immobilien schneller verkaufen in der Region Saarland, Rheinland-Pfalz und Luxembourg
PMEmail PosterUsers Website
Top
hschneider
Posted: Oct 14 2005, 08:56 AM
Quote Post


No - I'm not an answering script ...
Group Icon

Group: Admin
Posts: 6631
Member No.: 195
Joined: 19-June 02



The iDefense report on this exploit is available here:
http://www.idefense.com/application/poi/di...lashstatus=true

All this is fixed in 1.22 !


--------------------
Bye,
Harald


-- Download XMail Queue Manager 1.46 NOW: XMail Server Tools
-- Cross platform remote queue management!
-- Message analyzing on the fly!
-- Builtin diagnostics knowledge base!
-- Manages multiple mail queues!

Sponsored by
CD-Produktion und DVD-Produktion and Homestaging Saarland - Immobilien schneller verkaufen in der Region Saarland, Rheinland-Pfalz und Luxembourg
PMEmail PosterUsers Website
Top
pgs
Posted: Oct 15 2005, 03:46 PM
Quote Post


Newbie
*

Group: Members
Posts: 16
Member No.: 1382
Joined: 1-November 04



Just a question: Is the debian package update on the way?

regards, pgs
PMEmail Poster
Top
hschneider
Posted: Oct 15 2005, 08:57 PM
Quote Post


No - I'm not an answering script ...
Group Icon

Group: Admin
Posts: 6631
Member No.: 195
Joined: 19-June 02



Sorry - I'm not in contact with the maintainer. You can compile it from the source tarball on any Linux platform!


--------------------
Bye,
Harald


-- Download XMail Queue Manager 1.46 NOW: XMail Server Tools
-- Cross platform remote queue management!
-- Message analyzing on the fly!
-- Builtin diagnostics knowledge base!
-- Manages multiple mail queues!

Sponsored by
CD-Produktion und DVD-Produktion and Homestaging Saarland - Immobilien schneller verkaufen in der Region Saarland, Rheinland-Pfalz und Luxembourg
PMEmail PosterUsers Website
Top
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:
« Next Oldest | Announcements | Next Newest »

Closed TopicStart new topicStart Poll