[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2.99.50s17 available as tarball. SECURITY WARNING

> We are running an ancient version of zmailer (2.2.e6) that doesn't use a
> smtpserver.conf file.  Any suggestions?

   I am not quite sure as to what your followup did mean, but...
The entire "epsilon" series contains same problem as original 2.2.1.
Also, all versions of ZMailer share common part at the style flags
handling, at '-s' option, and at possible  smtpserver.conf  file.

Therefore yes, your version is vulnerable, and the "band-aid" is
already described here. (remove or replace with e.g. "." any instance
of characters 'f', 't', 'v', 'e' in those style flags.)

I did spot and poorly fix it years ago only to learn a few weeks ago
that I didn't do good job. :-/   Our friend \nick said roughly: "I
spotted it long ago too (at 2.2.1?), and fixed it independently, but
that fix product is a brain bender in its own."

My fixed fix is a clean one, no need for Aspirin/Advil/whatnot..

> 		thanks,
> 		bob
> Bob Manson                                        Phone (416)978-5898
> Systems Administrator, ECF                        Fax   (416)978-7320
> University of Toronto                      email  bob@ecf.utoronto.ca
> Toronto, Canada M5S 1A4                       or  bob@ecf.toronto.edu

/Matti Aarnio <mea@nic.funet.fi>