132674 – net-mail/vpopmail: Cleartext Password Authentication Bypass

Bug 132674 - net-mail/vpopmail: Cleartext Password Authentication Bypass

Summary: net-mail/vpopmail: Cleartext Password Authentication Bypass

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/19987/
Whiteboard:	C3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2006-05-08 06:02 UTC by Raphael Marichez (Falco) (RETIRED)
Modified:	2006-11-11 20:12 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-05-08 06:02:09 UTC

original advisory : http://sourceforge.net/project/shownotes.php?release_id=415350

SA19987 :
Description:
A security issue has been reported in vpopmail, which can be exploited by malicious people to bypass certain security restrictions.

The security issue is caused due to an error within the handling of SMTP AUTH and APOP password authentication. This can be exploited to authenticate to the mail server using a blank password.

Successful exploitation requires that cleartext password authentication is enabled and that the account does not have a cleartext password set.

The security issue has been reported in versions 5.4.14 and 5.4.15. Prior versions may also be affected.

Solution:
The security issue has been fixed in development version 5.4.16.

Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-05-08 06:13:02 UTC

5.4.16 is available correcting the issue, please provide a new ebuild :)

Comment 2 Jory A. Pratt 2006-05-08 15:16:15 UTC

Commited to tree, Go ahead and mark stable.

Comment 3 Torsten Veller (RETIRED) gentoo-dev

2006-05-09 06:38:07 UTC

stable on x86

Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev

2006-05-09 06:57:12 UTC

da sparc stable.

Comment 5 René Nussbaumer (RETIRED) gentoo-dev

2006-05-10 11:25:25 UTC

stable on hppa

Comment 6 Thomas Cort (RETIRED) gentoo-dev

2006-05-10 11:47:42 UTC

amd64 done.

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2006-05-11 05:35:22 UTC

ppc stable

Comment 8 Stefan Cornelius (RETIRED) gentoo-dev

2006-05-11 05:38:43 UTC

ready for glsa-vote. tend to say no.

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-05-11 09:16:38 UTC

I tend to vote NO too.

Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-05-11 22:32:54 UTC

same, i tend to vote no

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2006-05-13 09:48:56 UTC

Voting no and closing.