If there is I don't want to know about it :-) Seriously though: 1.2 suffers from the sql-injection bug. The code doesn't check i.e. whether the 'create' command for imap (which creates mailboxes) doesn't contain malicious code. It is possible for attackers to execute any kind of sql command:
something along the lines of: C : A01 login testuser1 test S : A01 * OK C : A02 CREATE 'testbox' S : A02 * OK C : A03 CREATE 'testbox2\"\; DELETE FROM MESSAGEBLKS\;' S : A03 * OK etc. You get the picture I'm sure. 2.0 and 2.1 do NOT suffer from this problem. And that's just the most critical problem with 1.2 that comes to mind. So yes! All you 1.2 users (you too, Jesse) better start thinking about upgrading. Leonel Nunez wrote: > Paul J Stevens wrote: > >> Becki, >> >> The CVE you refer to is *not* about dbmail. It's about Xmail, a different >> product all together. >> >> That said: don't use 1.2.11 on a new system. Use 2.0.6 instead. 1.2.x >> is old, >> and not maintained any more. >> >> >> >> > > > > Is there any known bug on 1.2.11 ? > > > > Leonel > > > > _______________________________________________ > Dbmail mailing list > Dbmail@dbmail.org > https://mailman.fastxs.nl/mailman/listinfo/dbmail > -- ________________________________________________________________ Paul Stevens paul at nfg.nl NET FACILITIES GROUP GPG/PGP: 1024D/11F8CD31 The Netherlands________________________________http://www.nfg.nl
