From owner-freebsd-ports Thu Jul 16 08:57:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA00217 for freebsd-ports-outgoing; Thu, 16 Jul 1998 08:57:35 -0700 (PDT) (envelope-from owner-freebsd-ports@FreeBSD.ORG) Received: from megaweapon.zigg.com (ip16.grand-rapids.mi.pub-ip.psi.net [38.11.210.16]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA00206 for ; Thu, 16 Jul 1998 08:57:31 -0700 (PDT) (envelope-from matt@megaweapon.zigg.com) Received: from megaweapon.zigg.com (megaweapon.zigg.com [192.168.1.1]) by megaweapon.zigg.com (8.8.8/8.8.8) with SMTP id LAA00205; Thu, 16 Jul 1998 11:58:01 -0400 (EDT) (envelope-from matt@megaweapon.zigg.com) Date: Thu, 16 Jul 1998 11:58:01 -0400 (EDT) From: Matt Behrens To: Adrian Penisoara cc: Steve Price , imap-uw@freebsd.ady.ro, FreeBSD ports Subject: Re: imap-uw security hole -- please update port In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK guys, here's what I've got. :) I don't know what the problem is. Apparently Terry Gray from UW knows, I'll ask him. I did find out from that the bug affects the version we currently have in the port; i.e. anything before July 12. I don't think we need to change the structure of any of the ports. pine should still install pine and imap-uw imap-uw. I don't think the tools would be needed, I never use them except imapd anyway. Thanks a bunch. You guys have been extremely helpful -- and fast! :) I'll let you know what I find out. On Thu, 16 Jul 1998, Adrian Penisoara wrote: > Hi, > > On Thu, 16 Jul 1998, Steve Price wrote: > > > Hey, I won't worry if Matt doesn't. :) If we don't install > > I'd still worry if Matty was happy and the sources were > security-compromising... :) > > > the imap tools does that satisfy your requirements Matt or > > are you expecting them to be installed as part of pine4? > > Pine 3.96 & Pine 4.00 install only c-client library, pico (the Editor), > Pilot (the file Browser) and Pine (the MUA); I believe this is what the > average user expects -- if someone wants the mail daemons (ipop2d, ipop3d, > imapd) then they will happily be served by the imap-uw port :) > > > If so, would a *_DEPENDS on the imap-uw port work? Of > > course its build/install would have to be conditionalized > > appropriately first of course. > > That wouldn't be necessary (if the POP/IMAP dameons build was expected) > -- Pine 4.00 source tarball comes with the sources for these dameons > already, *_DEPENDS should be used only to force using imap-uw's sources > instead what the pine port has; but I do repeat: the user > doesn't/shouldn't expect the port to install anything else but what they > come for and that's the Pine binaries; if they want the mail daemons they > should go for imap-uw... > > What's your opinion, Matt ? > > > > > Just out of curiousity why isn't the imap-uw port afflicted > > by the same security problems mentioned on BUGTRAQ? > > I believe this is because only the newly released Pine 4.00 source > tarball has the latest sources wich have that security bug -- but this is > just a supposition, it must be verified ! > > And about that, could you dig up a bit more and tell me what exactly is > this security compromise about or where can I find more about it, Matt ? > Thanks ! > > > > > Steve > > > > On Thu, 16 Jul 1998, Adrian Penisoara wrote: > > > > > Ady (@freebsd.ady.ro) > > Matt Behrens Founder and Chief Engineer, The OverNet Network I eat Penguins for breakfast. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message