Here is a patch (attached) to take 4.0.3 down to 4.0.2.

On Tue, Jun 05, 2001 at 06:52:23PM +0200, Roman Drahtmueller wrote:
> We hope that this information is accurate. Version 4.0.2 is not on the ftp
> server any more, and there is no patch from 4.0.2 to 4.0.3.
> We currently feel handicapped in our efforts to check the code for the
> changes wrt the buffer overflow.
>
> SuSE ships qpopper versions 2.53 (with a set of patches that include
> security fixes for this version) for SuSE-6.3, 6.4 and 7.0, SuSE-7.1 and
> the upcoming SuSE-7.2 release have version 3.1.2.
>
> If the above statement is right, then SuSE distributions are not
> vulnerable. However, we wish to double-check such a claim. All kinds of
> verification and transparency are welcome, including an official statement
> from Qualcomm (thanks in advance!).
>
>
> > Changes from 4.0.2 to 4.0.3:
> > ----------------------------
> > 1. Don't call SSL_shutdown unless we tried to negotiate an
> > SSL session. (As suggested by Kenneth Porter.)
> > 2. Fix buffer overflow (reported by Gustavo Viscaino).
>
>
> Thank you,
> Roman Drahtmüller,
> SuSE Security.
> - --
> - -
> | Roman Drahtmüller <drahtsuse.de> // "Caution: Cape does |
> SuSE GmbH - Security Phone: // not enable user to fly."
> | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
> - -
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: http://www.suse.de/
>
> iEYEARECAAYFAjsdDlkACgkQnkDjEAAKq6RVAQCgmAZJGKq6v4J9kjznUy+tlZzm
> j3EAoMyrDlRtE8OgI98T7FN18IfEYfHR
> =G2T2
> -----END PGP SIGNATURE-----

--
William Colburn, "Sysprog" <wcolburnnmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn

• text/plain attachment: qpopper.patch

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]