Bug 132674 - net-mail/vpopmail: Cleartext Password Authentication Bypass
Bug#: 132674 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: falco@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/19987/
Summary: net-mail/vpopmail: Cleartext Password Authentication Bypass
Keywords:  
Status Whiteboard: C3 [noglsa]
Opened: 2006-05-08 06:02 0000
Description:   Opened: 2006-05-08 06:02 0000 
original advisory :
http://sourceforge.net/project/shownotes.php?release_id=415350

SA19987 :
Description:
A security issue has been reported in vpopmail, which can be exploited by
malicious people to bypass certain security restrictions.

The security issue is caused due to an error within the handling of SMTP AUTH
and APOP password authentication. This can be exploited to authenticate to the
mail server using a blank password.

Successful exploitation requires that cleartext password authentication is
enabled and that the account does not have a cleartext password set.

The security issue has been reported in versions 5.4.14 and 5.4.15. Prior
versions may also be affected.

Solution:
The security issue has been fixed in development version 5.4.16.

------- Comment #1 From Raphael Marichez 2006-05-08 06:13:02 0000 ------- 
5.4.16 is available correcting the issue, please provide a new ebuild :)

------- Comment #2 From Jory A. Pratt 2006-05-08 15:16:15 0000 ------- 
Commited to tree, Go ahead and mark stable.

------- Comment #3 From Torsten Veller 2006-05-09 06:38:07 0000 ------- 
stable on x86

------- Comment #4 From Gustavo Zacarias (RETIRED) 2006-05-09 06:57:12 0000 ------- 
da sparc stable.

------- Comment #5 From René Nussbaumer 2006-05-10 11:25:25 0000 ------- 
stable on hppa

------- Comment #6 From Thomas Cort (RETIRED) 2006-05-10 11:47:42 0000 ------- 
amd64 done.

------- Comment #7 From Tobias Scherbaum 2006-05-11 05:35:22 0000 ------- 
ppc stable

------- Comment #8 From Stefan Cornelius (RETIRED) 2006-05-11 05:38:43 0000 ------- 
ready for glsa-vote. tend to say no.

------- Comment #9 From Sune Kloppenborg Jeppesen 2006-05-11 09:16:38 0000 ------- 
I tend to vote NO too.

------- Comment #10 From Raphael Marichez 2006-05-11 22:32:54 0000 ------- 
same, i tend to vote no

------- Comment #11 From Thierry Carrez (RETIRED) 2006-05-13 09:48:56 0000 ------- 
Voting no and closing.