| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 09 Apr 2003 15:55:47 +0200 From: Hilko Bengen <bengen+amavis@...luzination.de> To: bugtraq@...urityfocus.com Subject: Re: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail loss Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@...tected.unixadm.org> writes: > with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3; > 0.1.4.x is > not vulnerable), all email gets forwarded to the address specified by the > "To:" header line, ignoring the real recipient given via "RCPT TO:". [...] As the main developer of AMaViS-ng, I would like to make three comments at this time: (1) Unfortunately, Phil did not contact me or any other AMaViS developer, neither via private mail nor by sending a message to security@...vis.org, before posting to Bugtraq. He did post to the amavis-user list on Mon, 7 Apr 2003 00:33:52 +0200 (see: http://sourceforge.net/mailarchive/message.php?msg_id=4298123), which was only about 14h before posting to this list. "Prior notice" is something else in my dictionary. Neither did he inform anyone from the AMaViS development team of his posting to this list. I only became aware of it because other subscribers pointed me to his article. (2) The issue is being investigated at the moment and I will post updates when we know more about it. (3) Using the information from Phil's posting to this list, we have not been able to confirm the vulnerability so far. We hope to get this issue sorted out soon. Regards, -Hilko
Powered by blists - more mailing lists