From owner-freebsd-security Thu Apr 10 21:59:34 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA26305 for security-outgoing; Thu, 10 Apr 1997 21:59:34 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id VAA26298 for ; Thu, 10 Apr 1997 21:59:29 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wFYQo-0003Ga-00; Thu, 10 Apr 1997 22:59:26 -0600 To: security@freebsd.org Subject: David Sacerdote: qualcomm POP server Date: Thu, 10 Apr 1997 22:59:26 -0600 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk FYI. Headers slightly edited. Warner ------- Forwarded Message MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Wed, 9 Apr 1997 16:04:56 -0600 Reply-To: David Sacerdote Sender: Bugtraq List From: David Sacerdote Subject: qualcomm POP server To: BUGTRAQ@NETSPACE.ORG - -----BEGIN PGP SIGNED MESSAGE----- Since CERT took up the information in the Secure Networks advisory imap.advisory.04.02.97, as part of CA 97.09, they neglected to repeat the section which explicitly mentions that the Qualcomm Popper, and other POP servers not derived from the University of Washington POP server are not vulnerable. The consequences have ranged from queries via email to administrators of large networks completely disabling POP, even though they are not running vulnerable POP servers. I remind administrators that although virtually all IMAP servers are affected, almost no POP servers are. Remarkably few sites run ipop2d and ipop3d, even in comparison to the number of sites running the University of Washington IMAP server. None of the Qualcomm, University of California at Berkeley, or University of California at Davis POP servers are vulnerable, and those three seem to be by far the most widely deployed POP servers. Administrators are urged NOT to panic, and blindly disable POP service for their users, but to issue the command: telnet mail.server.machine 110 and look at the version string they see. There is no reason whatsoever to disable POP service unless they see some mention of the University of Washington, as in: +OK testing.secnet.com POP3 3.3(20) w/IMAP2 client (Comments to MRC@CAC.Washington.EDU) at Wed, 9 Apr 1997 15:20:15 -0x00 (MDT) The full text of the Secure Networks advisory on imapd and ipop3d, published on April 2, 1997, can be found at ftp://ftp.secnet.com/pub/advisories I urge administrators who run POP or IMAP servers who have not already read this advisory to do so. I would of course, much appreciate it if CERT were to undertake a policy of issuing a credit to the initial publisher of a piece of information somewhere in their advisory. David Sacerdote - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM0vYVf93ojDw1UhtAQFx8wQAlq2c0sh7tBgu+xliidicBWnunxoEP+vd pbZVfUGUYrKWt9Gv2OXseSQlTjixDLkhBsbHAHzqCqjuS4tfp9ebaxmPUORWV3NZ IxzcXaRKS3L3HbW5Jxd5tPgAtJoZunn8tN+7A5lDB3iGFCQcl6AHJZfR2MO2DiTO 2J6E7BJpKqk= =vfXZ - -----END PGP SIGNATURE----- ------- End of Forwarded Message