lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 28 Mar 2003 14:25:32 +0000
From: "fwegwg dfbndebndebner" <erwin_lists@...mail.com>
To: bugtraq@...urityfocus.com
Cc: vulndiscuss@...nwatch.org
Subject: [VulnDiscuss] Clearswift MAILsweeper hotfix


Dear mailinglist readers,

On the 17th of March 2003 Clearswift released a hotfix (4.3.7) for
MAILsweeper version 4.3. In the accompanied Readme file
(http://www.mimesweeper.com/download/bin/Patches/MAILsweeper_Patches_301_ReadMe.htm)
three vulnerabilities are reported.  The first vulnerability is the MIME
evasion vulnerability which was reported by Corsaire.

The other two vulnerabilities are:
1. MAILsweeper for SMTP Version 4.3.6 (SP1) ignored the classification
configured for the On strip unsuccessful scenario outcome if a detected
attachment could not be removed from the message. This was the case for
all scenarios that have the ability to strip attachments. MAILsweeper
for SMTP Version 4.3.7 now follows the specified classification in the
event that the attachment cannot be removed successfully.

As a result of these changes, the behavior of the Attachment Stripper
scenario upon detecting certain format types that appear outside of an
attachment has changed from Version 4.3.6 (SP1). For detailed
information on the effect of these changes, see the Technotes under the
(Support page) of the MIMEsweeper website.

2. A fix to a memory leak in the MAILsweeper for SMTP Delivery service.

I tried to find more information on the Internet for these two
vulnerabilities, but I couldn't find any information. I contacted
Clearswift for additional information, but several attempts failed,
because they won't help companies or people without a Premium Support
contract.

I am wondering if these vulnerabilties are security related and could be
exploited by a local or remote attacker. The reason I am looking for
this information is that the company I am working for has it's own
vulnerability and alerting service for customers. We inform our
customers when security vulnerabilities are discovered in the software
products they use and how they can resolve this. The brief description
in the ReadMe file, doesn't give me enough information to judge if these
vulnerabilities are security related.

I hope anybody can provide me additional information.

Regards,

Erwin


_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*  
http://join.msn.com/?page=features/junkmail

Powered by blists - more mailing lists