lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <878yujrd0c.fsf@ataraxia.hilluzination.de>
Date: Wed, 09 Apr 2003 15:55:47 +0200
From: Hilko Bengen <bengen+amavis@...luzination.de>
To: bugtraq@...urityfocus.com
Subject: Re: AMaViS-ng 0.1.6.x and postfix: possible open relay and mail
 loss


Phil Cyc <ajEA3UMBepQ4MRExDmm0qbFeeQEJtffpg.1@...tected.unixadm.org>
writes:

> with postfix using AMaViS-ng 0.1.6.x (tested: 0.1.6.2 and 0.1.6.3;
> 0.1.4.x is
> not vulnerable), all email gets forwarded to the address specified by the
> "To:" header line, ignoring the real recipient given via "RCPT TO:".

[...]

As the main developer of AMaViS-ng, I would like to make three
comments at this time:

(1) Unfortunately, Phil did not contact me or any other AMaViS
developer, neither via private mail nor by sending a message to
security@...vis.org, before posting to Bugtraq. He did post to the
amavis-user list on Mon, 7 Apr 2003 00:33:52 +0200 (see:
http://sourceforge.net/mailarchive/message.php?msg_id=4298123), which
was only about 14h before posting to this list. "Prior notice" is
something else in my dictionary.

Neither did he inform anyone from the AMaViS development team of his
posting to this list. I only became aware of it because other
subscribers pointed me to his article.

(2) The issue is being investigated at the moment and I will post
updates when we know more about it.

(3) Using the information from Phil's posting to this list, we have
not been able to confirm the vulnerability so far. We hope to get this
issue sorted out soon.

Regards,
-Hilko


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ