On 9/22/06, Joachim Schipper <[EMAIL PROTECTED]> wrote:
On Fri, Sep 22, 2006 at 03:57:45PM +0200, viq wrote:
> On 9/22/06, Henning Brauer <[EMAIL PROTECTED]> wrote:
> >* viq <[EMAIL PROTECTED]> [2006-09-22 14:53]:
> >> I am looking at setting up a mail solution for my home usage, and
> >> those seem to be a popular option from what people on the net seem to
> >> say. But, when looking at what we have in ports I noticed the versions
> >> are over 2 years old... So here's my question - did anyone have, or is
> >> aware of, any problems with them that would be fixed in the newer
> >> versions? Is anyone actually running those, or self-compiled newer
> >> versions thereof? Any issues with them?
> >
> >courier-imap 4.x breaks compatibility in a spectacular way
> >(authetication is entirely different). latest 3.x works just fine for
> >us.
> >
> >newer does not imply better.
>
> Ah, indeed. Good I asked then ;) Though, securityfocus does have a few
> entries on courier-imap...
> And latest 3.x is 3.0.8, and in our tree we have 3.0.5 ...
While the facts you state are correct, the suggestion that the
Courier-IMAP in tree is vulnerable is not. The vulnerabilities you state
are either fixed in 3.0.5 or not relevant; see the Changelog at
http:/www.courier-mta.org/imap.
Indeed, I took a closer look at those vulnerabilities and they mention
the affected version being 3.0.2 and older. Though in the changelog
there are a few things that sound like bugfixes, or at least "let's
make it work better", that probably make it worth considering bumping
it to 3.0.8. But then again, possibly not ;)
--
viq
