[PLUG] new guy with questions

Dan Young danielmyoung at gmail.com
Thu Jul 6 17:28:31 UTC 2006


On 7/5/06, Elliott Mitchell <ehem at m5p.com> wrote:
> >From: "Dan Young" <danielmyoung at gmail.com>
> > On 6/28/06, Wil Cooley <wcooley at nakedape.cc> wrote:
> > >
> > > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=qmail
> > > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postfix
> > > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=exim
> > > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sendmail
> > >
> > > You must be careful with these lists, since third-party apps are
> > > included that are not actually part of the MTA itself, like Postgrey or
> > > qmailadmin, and vendor-specific configuration problems, like Apple's
> > > SMTP AUTH bungling.
> >
> > Thanks, Wil. That's what I was getting at. The postfix CVEs for the
> > last three years all reference either 3rd-party patches/addons (the
> > ipv6 open relay bug and postgrey) or vendor config problems.
>
> That is trivial compared to how that metric treats Sendmail. Better than
> three-quarters of the ones listed searching for sendmail are things
> completely unrelated, that simply call their mail sending functions
> "sendmail".
>
> CVE-2005-0337 most certainly looks like Postfix's bug (that doesn't
> appear to be an addon). CVE-2003-0540 as well, both within the past 3
> years.

CVE-2005-0337 was a bug in a 3rd-party IPv6 patch.
Please read the Redhat report:
http://rhn.redhat.com/errata/RHSA-2005-152.html
Or from Wietse on Bugtraq, if you prefer:
http://seclists.org/lists/bugtraq/2005/Feb/0070.html

CVE-2003-0540 is 35 months old, so not three years old for all of the
pedants out there. Thanks for clarifying that. It was a DoS, not
remote code execution, like the most recent Sendmail bug
(CVE-2006-0058).

-- 
Dan



More information about the PLUG mailing list