[Mimedefang] SECURITY UPDATE: MIMEDefang 2.23 FINAL is released

Evan Cofsky evan at theunixman.com
Fri Oct 18 12:25:01 EDT 2002 

That's interesting, since I've been experiencing that sort of thing
off and on.  I thought it was related to the bad hard drives I had
(IBM Deathstars), but apparently not.

Do you have any more details?  It would usually happen for me when the
load average was around 10-20, which is common on our mail gateway,
although 90 isn't unheard of here.  I ended up just scripting a cron
job which would monitor it and restart it if the process died.

I'm glad to know I may not be as crazy as I thought.

On 10/18 10:19, David F. Skoll wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I was doing some stress-testing of MIMEDefang and found a scenario under
> which mimedefang-multiplexor could crash on a heavily-loaded system.
> This is extremely unlikely to happen on a real mail server -- the bug
> has been present for over a year and I haven't had reports of it happening.
> 
> Nevertheless, an attacker with sufficient bandwidth may be able to
> crash the multiplexor, leading to a denial of service.  The bug is
> not exploitable for the purpose of executing attacker's code.
> 
> I recommend that everyone upgrade to 2.23, available at
> http://www.roaringpenguin.com/mimedefang/
> 
> Regards,
> 
> David.
> 
> 2002-10-18  David F. Skoll  <dfs at roaringpenguin.com>
> 
> 	* Version 2.23 RELEASED
> 
> 	* SECURITY UPDATE: An attacker with sufficient bandwidth may be
> 	able to crash mimedefang-multiplexor for versions up to 2.22.
> 	This attack cannot be used to execute attacker's code; it's only a
> 	denial-of-service attack.  See next changelog entry for details:
> 
> 	* event_tcp.c (handle_writeable): Check that state->f is
> 	non-NULL before dereferencing it.
> 
> 	* event_tcp.c: Check for EINTR/EAGAIN on read() and write()
> 	system calls.
> 
> 	* configure.in: Default DEFANGUSER to "defang" if
> 	--with-user not supplied.
> 
> 2002-10-17  David F. Skoll  <dfs at roaringpenguin.com>
> 
> 	* Version 2.22 RELEASED
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://quantumlab.net/pine_privacy_guard/
> 
> iD8DBQE9sBiTxu9pkTSrlboRAoFfAKCld6lKB18544Flp234eWYN/zSpHgCgu6A6
> 1ikgxzVfVwuTXCBITFwULRM=
> =gq7U
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

-- 
How much does it cost to entice a dope-smoking UNIX system guru to Dayton?
                -- UNIX/WORLD's First Annual Salary Survey, Brian Boyle

Evan Cofsky, President, CEO Pacific Development Group <evan at pacificdev.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20021018/11698672/attachment-0003.sig>

More information about the MIMEDefang mailing list