Re: POP3, lock files and procmail
From: Jem Berkes (jb_at_users.pc9.org)
Date: Sun, 13 Jul 2003 20:40:47 GMT
>> As for the UW software, I'm not comfortable with the security record
>> of UW IMAP. And yes, I've seen the FAQ entry 5.2 ;)
> Two buffer overflow bugs in the IMAP server, many years ago (and many
> release versions ago), and that's supposed to extend to the POP3
> server (an entirely different program) and to everything else that
> I've ever written forever?
Whoa, I never said it applies to everything you've written. I would trust
your coding much more than my own. As for IMAP and POP3 daemons, I didn't
know who wrote what and whether there was underlying shared code.
> Are you seriously claiming that buffer overflow bugs never happen in
> Linux? Or that it is possible to install a Linux system
> out-of-the-box on the open Internet without having it promptly rooted?
Who brought up linux? Of course buffer overflows happen. Plenty software
has had vulnerabilities: kernel themselves, openssh, openssl, apache, etc.
I didn't mean to insult you, I'm just saying that my _perception_ was that
there is some security risk associated with the UW software. I didn't know
who developed what components and whether various components (pine, imap,
pop3) used underlying shared code. I am unfamiliar with the software.
Now I apologize. I've definitely had a biased opinion, from ignorance and
some assumptions I've made over the years.
-- Jem Berkes http://www.pc-tools.net/ Windows, Linux & UNIX software