From owner-freebsd-security Tue Mar 11 16:18:40 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA3E237B401 for ; Tue, 11 Mar 2003 16:18:37 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C473543FBD for ; Tue, 11 Mar 2003 16:18:36 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA19995; Tue, 11 Mar 2003 17:18:07 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030311171659.03d45ba0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 11 Mar 2003 17:18:04 -0700 To: Jez Hancock , FreeBSD Security List From: Brett Glass Subject: Re: [heinz@cronon-ag.de: QPopper 4.0.x buffer overflow vulnerability] In-Reply-To: <20030311212848.GA29347@users.munk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:28 PM 3/11/2003, Jez Hancock wrote: >Hi, > >Can anyone confirm whether or not the attached vulnerability applies to >the qpopper 4.0.4-1 port? My guess is it does. The only mitigating factor is that the attacker has to supply a valid user ID and password, which means that the attack has to be an inside job. Any word regarding patches from Qualcomm? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message