XMailforum is a readonly knowledge archive now.
Registering as a new user or answering posts is not possible anymore.
Might the force be with you, to find here what you are looking for.
2019-09-20 - hschneider, Admin
Cookie Disclaimer: This forum uses only essential, anonymous session cookies (xmailforum*), nothing to be scared of.
XMail Forum [Powered by Invision Power Board]
Posted by: hschneider Oct 13 2005, 06:53 AM |
QUOTE | > There is a possible buffer overflow vulnerability in all versions of XMail > previous to 1.22. This does not affect the server itself, but the XMail's > sendmail binary. Since many runs the XMail's sendmail as suid root, the > issue can be critical, even if not easily exploitable w/out knowing the > server setup. I'd suggest everyone to update to 1.22 ASAP:
Side note if it wasn't clear. Even the Windows XMail's sendmail is affected ...
- Davide
|
The complete list of changes:
QUOTE | Oct 12, 2005 v 1.22
* The POP3 before SMTP authentication is now correctly interpreted as real SMTP authentication, by the mean of @@USERAUTH.
* 'ATTENTION': Fixed a possible cause of buffer overflow in the XMail's sendmail binary.
* Changed the DNS MX resolution to allow better handling of partially broken DNS servers configuations.
|
|
Posted by: hschneider Oct 14 2005, 07:27 AM |
Recommended for OpenBSD users: http://www.xmailserver.org/xmail-1.23-pre01.tar.gz
QUOTE | > You're the best! > > It works perfeclty now. Even the stuck mails from the previous build are > > delivered instantly. > > > > Can you tell which problem caused this behavious? Something thread related ?
The gethostby{name,addr}_r are not available, so XMail was using the ones w/out the _r, that are not intrinsicly thread safe. This because the first BSD port (FreeBSD) was serializing and handling safety correctly. Eventually not all BSDs do, that might have triggered problems with threading.
|
Symptoms for this were sporadic coredumps, mails hanging in the queue without being delivered, long response times of SMTP, SMAIL and POP threads, frozen pop3link connections.
|
Posted by: hschneider Oct 14 2005, 08:56 AM |
The iDefense report on this exploit is available here: http://www.idefense.com/application/poi/display?id=321&type=vulnerabilities&flashstatus=true
All this is fixed in 1.22 ! |
Posted by: pgs Oct 15 2005, 03:46 PM |
Just a question: Is the debian package update on the way?
regards, pgs |
Posted by: hschneider Oct 15 2005, 08:57 PM |
Sorry - I'm not in contact with the maintainer. You can compile it from the source tarball on any Linux platform! |
Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)