on 8/23/01 11:15 AM, Ken Jones at [EMAIL PROTECTED] spake:
> vpopmail-4.10.35 is available.
> This is a security fix.
>
> This is the first pre5.0 canidate. If no problems are
> found in the next week this will be the 5.0 release.
>
> Changes from 4.10.34 are:
>
> 1) vpopmail/lib directory is now owned by root
> and read/write/execute only by root.
>
> 2) vpopmail/lib/libvpopmail.a is also owned by
> root and read/write only by root.
>
> These changes make it impossible for non root
> users to compile programs which use the vpopmail
> library. This should restrict the ability for
> a regular user to create a vpopmail application
> and then core dump it to view the contents of
> the libvpopmail.a library, which includes the
> authentication information to databases,
> like mysql, oracle or ldap.
>
> Ken Jones
> inter7.com
Oh yeah.. IMAP before SMTP still doesn't work in vpopmail-4.9.35
(courier-imap 1.3.10). I've been looking through the open_smtp_relay()
function and also at preauthvchkpw.c, but can't figure out which one is the
problem. It dies just after creating ~vpopmail/etc/open_smtp.lock and
~vpopmail/etc/open_smtp.<PID>, but before writing the IP info to open_smtp.
POP before SMTP works fine.
Cheers,
Bill Shupp
