[Mimedefang] SECURITY UPDATE: MIMEDefang 2.23 FINAL is released
Evan Cofsky
evan at theunixman.com
Fri Oct 18 12:25:01 EDT 2002
That's interesting, since I've been experiencing that sort of thing
off and on. I thought it was related to the bad hard drives I had
(IBM Deathstars), but apparently not.
Do you have any more details? It would usually happen for me when the
load average was around 10-20, which is common on our mail gateway,
although 90 isn't unheard of here. I ended up just scripting a cron
job which would monitor it and restart it if the process died.
I'm glad to know I may not be as crazy as I thought.
On 10/18 10:19, David F. Skoll wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I was doing some stress-testing of MIMEDefang and found a scenario under
> which mimedefang-multiplexor could crash on a heavily-loaded system.
> This is extremely unlikely to happen on a real mail server -- the bug
> has been present for over a year and I haven't had reports of it happening.
>
> Nevertheless, an attacker with sufficient bandwidth may be able to
> crash the multiplexor, leading to a denial of service. The bug is
> not exploitable for the purpose of executing attacker's code.
>
> I recommend that everyone upgrade to 2.23, available at
> http://www.roaringpenguin.com/mimedefang/
>
> Regards,
>
> David.
>
> 2002-10-18 David F. Skoll <dfs at roaringpenguin.com>
>
> * Version 2.23 RELEASED
>
> * SECURITY UPDATE: An attacker with sufficient bandwidth may be
> able to crash mimedefang-multiplexor for versions up to 2.22.
> This attack cannot be used to execute attacker's code; it's only a
> denial-of-service attack. See next changelog entry for details:
>
> * event_tcp.c (handle_writeable): Check that state->f is
> non-NULL before dereferencing it.
>
> * event_tcp.c: Check for EINTR/EAGAIN on read() and write()
> system calls.
>
> * configure.in: Default DEFANGUSER to "defang" if
> --with-user not supplied.
>
> 2002-10-17 David F. Skoll <dfs at roaringpenguin.com>
>
> * Version 2.22 RELEASED
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://quantumlab.net/pine_privacy_guard/
>
> iD8DBQE9sBiTxu9pkTSrlboRAoFfAKCld6lKB18544Flp234eWYN/zSpHgCgu6A6
> 1ikgxzVfVwuTXCBITFwULRM=
> =gq7U
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
--
How much does it cost to entice a dope-smoking UNIX system guru to Dayton?
-- UNIX/WORLD's First Annual Salary Survey, Brian Boyle
Evan Cofsky, President, CEO Pacific Development Group <evan at pacificdev.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20021018/11698672/attachment-0003.sig>
More information about the MIMEDefang
mailing list