Hi,
There's a security advisory just been released for qmail and qmail-verify.
Although the main qmail exploit looks non-trivial, it's still of concern. The
good news is that the main exploit is mitigated with a small patch to alloc.c,
as described in the advisory. Here's the advisory,
https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
Re. my qmail-verify patchset, this had 2 faults/vulnerabilities which the
advisory describes as "minor", which are fixed in the new version of qmail-
verify v1.50 (the fix is to incorporate the code in the advisory above; I've
also made some corrections to the qmail-verify man page),
https://free.acrconsulting.co.uk/email/qmail-verify.html
I believe that updated 'qmail' packages for Debian and Ubuntu are in
preparation that should incorporate the fixes proposed in the advisory.
Kind regards,
Andrew Richards.
--
====================================================================
* Custom email solutions * Systems Administration * Networking
http://www.acrconsulting.co.uk/
====================================================================
There's a security advisory just been released for qmail and qmail-verify.
Although the main qmail exploit looks non-trivial, it's still of concern. The
good news is that the main exploit is mitigated with a small patch to alloc.c,
as described in the advisory. Here's the advisory,
https://www.qualys.com/2020/05/19/cve-2005-1513/remote-code-execution-qmail.txt
Re. my qmail-verify patchset, this had 2 faults/vulnerabilities which the
advisory describes as "minor", which are fixed in the new version of qmail-
verify v1.50 (the fix is to incorporate the code in the advisory above; I've
also made some corrections to the qmail-verify man page),
https://free.acrconsulting.co.uk/email/qmail-verify.html
I believe that updated 'qmail' packages for Debian and Ubuntu are in
preparation that should incorporate the fixes proposed in the advisory.
Kind regards,
Andrew Richards.
--
====================================================================
* Custom email solutions * Systems Administration * Networking
http://www.acrconsulting.co.uk/
====================================================================