Re: [cobalt-security] QPOP Vulnerability - Again

[Chris Adams <cmadams@xxxxxxxxxx>]

Once upon a time, Jan P Tietze <jptietze@xxxxxxxxxxx> said:
> I called EMEA tech support today (btw - literally NO time spent waiting for a
> technician), and they said Cobalt was working on fix, and that it's going to be
> in the next security update. As to when that update will be released, I was told
> they would find that out for me and send the information by email. As soon as
> (or if at all) I get this information, I will post it to this list.
> 
> Apparently, there seems to be no way to force Cobalt into fixing long-known
> broken functionality. A response on this list by Cobalt techies about the QPOP3
> vulnerability would be fine.

They are too busy working on the RaQ4 I guess.  That's why it took them
six months to fix things like the RaQ3 email catch-all bug.

They still have not released an official fix to the web site security
hole (originally I was thinking it was just with Front Page sites, but
it is with all sites).  With the normal setup, any user on a RaQ can
overwrite all the sites on the RaQ.  They tossed a "quick-fix" into the
experimental directory, but they have not really fixed it.

Now there are known security problems with proftpd again - I wonder if
those patches will ever make their way out of Cobalt?

I believe the current version of BIND on the RaQ2 is still open to
security holes as well - they fixed this one for the RaQ1 but not the
RaQ2!

-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Information Services
I don't speak for anybody but myself - that's enough trouble.