From owner-freebsd-security  Tue Jul 21 14:24:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA16786
          for freebsd-security-outgoing; Tue, 21 Jul 1998 14:24:22 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from Tyr.office.EFN.org (root@[204.214.99.45])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA16691
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 14:23:49 -0700 (PDT)
          (envelope-from spy@tyr.office.efn.org)
Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45])
	by Tyr.office.EFN.org (8.9.0/8.9.0) with SMTP id OAA13112;
	Tue, 21 Jul 1998 14:22:18 -0700 (PDT)
Date: Tue, 21 Jul 1998 14:22:18 -0700 (PDT)
From: Ben <spy@tyr.office.efn.org>
Reply-To: ben@efn.org
To: Brett Glass <brett@lariat.org>
cc: Jeremy Shaffner <jer@jorsm.com>, security@FreeBSD.ORG
Subject: Re: Why is there no info on the QPOPPER hack?
In-Reply-To: <199807211928.NAA15499@lariat.lariat.org>
Message-ID: <Pine.BSF.3.96.980721141904.12932A-100000@Tyr.office.EFN.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 21 Jul 1998, Brett Glass wrote:

> >How does "have been potentially" work?
> 
> It means they're wide open and ready to be hacked. NOW.
>  
> >Pardon my ignorance, since I haven't used CVS, but isn't that what the
> >"ports" are? A skeleton with the necessary patches and a Makefile that
> >fetches the distfile if you don't already have it?  Like I said before,
> >Jordan had an updated -stable port the same day.
> 
> New holes are still being found in Qualcomm's THIRD update.

Due to the large cpu usage, and the disk space needed on large production 
machines for /var/pop when qpopper copies over the users mail spool, we went
to using cucipop.  You might try this too, it uses about 30% less cpu, and
doesn't have these exploits(yet? I haven't looked through it's code)

 -> ftp://ftp.informatik.rwth-aachen.de/pub/packages/cucipop/

> 
> >And if you get that new
> >port by downloading it manually, or by letting CVSup do it
> >"Automagically" does it really matter?  It's the same either way.
> 
> Not if you don't get word before you're hit.

The only way to be truly secure is to stay on top of things.  Why wasn't someone
else filling in for you during your vacation?

> --Brett

	-ben@efn.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message