[Mimedefang] SECURITY UPDATE: MIMEDefang 2.23 FINAL is released
David F. Skoll
dfs at roaringpenguin.com
Fri Oct 18 10:21:01 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I was doing some stress-testing of MIMEDefang and found a scenario under
which mimedefang-multiplexor could crash on a heavily-loaded system.
This is extremely unlikely to happen on a real mail server -- the bug
has been present for over a year and I haven't had reports of it happening.
Nevertheless, an attacker with sufficient bandwidth may be able to
crash the multiplexor, leading to a denial of service. The bug is
not exploitable for the purpose of executing attacker's code.
I recommend that everyone upgrade to 2.23, available at
http://www.roaringpenguin.com/mimedefang/
Regards,
David.
2002-10-18 David F. Skoll <dfs at roaringpenguin.com>
* Version 2.23 RELEASED
* SECURITY UPDATE: An attacker with sufficient bandwidth may be
able to crash mimedefang-multiplexor for versions up to 2.22.
This attack cannot be used to execute attacker's code; it's only a
denial-of-service attack. See next changelog entry for details:
* event_tcp.c (handle_writeable): Check that state->f is
non-NULL before dereferencing it.
* event_tcp.c: Check for EINTR/EAGAIN on read() and write()
system calls.
* configure.in: Default DEFANGUSER to "defang" if
--with-user not supplied.
2002-10-17 David F. Skoll <dfs at roaringpenguin.com>
* Version 2.22 RELEASED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE9sBiTxu9pkTSrlboRAoFfAKCld6lKB18544Flp234eWYN/zSpHgCgu6A6
1ikgxzVfVwuTXCBITFwULRM=
=gq7U
-----END PGP SIGNATURE-----
More information about the MIMEDefang
mailing list