Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Apr 1997 22:59:26 -0600
From:      Warner Losh <imp@village.org>
To:        security@freebsd.org
Subject:   David Sacerdote: qualcomm POP server
Message-ID:  <E0wFYQo-0003Ga-00@rover.village.org>

next in thread | raw e-mail | index | archive | help
FYI.  Headers slightly edited.

Warner

------- Forwarded Message

MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSI.3.95.970409160346.2495A-100000@silence.secnet.com>
Date: 	Wed, 9 Apr 1997 16:04:56 -0600
Reply-To: David Sacerdote <davids@SECNET.COM>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: David Sacerdote <davids@SECNET.COM>
Subject:      qualcomm POP server
To: BUGTRAQ@NETSPACE.ORG

- -----BEGIN PGP SIGNED MESSAGE-----

Since CERT took up the information in the Secure Networks advisory
imap.advisory.04.02.97, as part of CA 97.09, they neglected to repeat the
section which explicitly mentions that the Qualcomm Popper, and other POP
servers not derived from the University of Washington POP server are not
vulnerable.  The consequences have ranged from queries via email to
administrators of large networks completely disabling POP, even though
they are not running vulnerable POP servers.

I remind administrators that although virtually all IMAP servers are
affected, almost no POP servers are.  Remarkably few sites run ipop2d
and ipop3d, even in comparison to the number of sites running the
University of Washington IMAP server.  None of the Qualcomm, University
of California at Berkeley, or University of California at Davis POP
servers are vulnerable, and those three seem to be by far the most widely
deployed POP servers.  Administrators are urged NOT to panic, and blindly
disable POP service for their users, but to issue the command:

telnet mail.server.machine 110

and look at the version string they see.  There is no reason whatsoever
to disable POP service unless they see some mention of the University of
Washington, as in:

+OK testing.secnet.com POP3 3.3(20) w/IMAP2 client (Comments to
MRC@CAC.Washington.EDU) at Wed, 9 Apr 1997 15:20:15 -0x00 (MDT)


The full text of the Secure Networks advisory on imapd and ipop3d,
published on April 2, 1997, can be found at
ftp://ftp.secnet.com/pub/advisories
I urge administrators who run POP or IMAP servers who have not already
read this advisory to do so.

I would of course, much appreciate it if CERT were to undertake a policy
of issuing a credit to the initial publisher of a piece of information
somewhere in their advisory.

David Sacerdote

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM0vYVf93ojDw1UhtAQFx8wQAlq2c0sh7tBgu+xliidicBWnunxoEP+vd
pbZVfUGUYrKWt9Gv2OXseSQlTjixDLkhBsbHAHzqCqjuS4tfp9ebaxmPUORWV3NZ
IxzcXaRKS3L3HbW5Jxd5tPgAtJoZunn8tN+7A5lDB3iGFCQcl6AHJZfR2MO2DiTO
2J6E7BJpKqk=
=vfXZ
- -----END PGP SIGNATURE-----


------- End of Forwarded Message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0wFYQo-0003Ga-00>