Bugtraq mailing list archives

Re: vpopmail/vchkpw remote root exploit


From: djb () CR YP TO (D. J. Bernstein)
Date: Sun, 23 Jan 2000 22:54:27 -0000


This ``qmail-pop3d security advisory'' is fraudulent. There are no
security problems in the qmail package.

There are some serious security problems in the vpopmail/vchkpw package.
But vpopmail/vchkpw is not part of qmail. I didn't write it. I haven't
reviewed it. I don't distribute it. I don't use it. I am not responsible
for its bugs.

Blaming qmail-popup for a bug in vpopmail/vchkpw is like blaming
qmail-smtpd for a bug in procmail or pine. It deceives people as to the
source of the problem and the nature of the correct fix.

The claim of protocol non-compliance is neither relevant nor correct.
Clients that send long usernames are violating RFC 1939, but servers
that allow long usernames as an extension are not violating RFC 1939.
The qmail package deliberately and consistently allows such extensions,
as documented in the qmail-limits manual page.

I don't enjoy being the target of defamation. I don't enjoy receiving
email from people who have heard false rumors of bugs in my software. I
asked the author of this advisory to make an honest statement of his
results. Instead he attempted to frighten qmail users who, in fact, have
nothing to worry about.

The security community cannot condone this type of behavior. As soon as
I have some free time, I am going to track down the author and sue him
for libel. I fully expect to win.

---Dan Bernstein


Current thread: