[Mimedefang] SECURITY UPDATE: MIMEDefang 2.23 FINAL is released

Stephane Lentz Stephane.Lentz at ansf.alcatel.fr
Sun Oct 20 16:53:01 EDT 2002


On Fri, Oct 18, 2002 at 10:19:59AM -0400, David F. Skoll wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I was doing some stress-testing of MIMEDefang and found a scenario under
> which mimedefang-multiplexor could crash on a heavily-loaded system.
> This is extremely unlikely to happen on a real mail server -- the bug
> has been present for over a year and I haven't had reports of it happening.
> 
> Nevertheless, an attacker with sufficient bandwidth may be able to
> crash the multiplexor, leading to a denial of service.  The bug is
> not exploitable for the purpose of executing attacker's code.
> 
> I recommend that everyone upgrade to 2.23, available at
> http://www.roaringpenguin.com/mimedefang/
> 

David, 

shouldn't line 200 of suggested-minimum-filter-for-windows-clients be :
md_log('bad_filename', $fname, $type);
instead of 
md_log('bad_filename', $fname);

It would be great to have $RelayAddr written for all 
md_log lines too : it can help to track the source of the 
rejection without looking at the quarantine directory.
I'm thinking about using :
md_log('bad_filename', $fname, $RelayAddr); 
for bad filenames for instance

regards, 

SL/
---
Stephane Lentz / Alcanet International - Internet Services



More information about the MIMEDefang mailing list