[cobalt-developers] RaQ3/4: IMAP & qpopper (unofficial RPMs and PKGs proposal)

[Michael Stauber <devel@xxxxxxxxxxxxxx>]

Hi all,

I'm currently looking a little deeper at IMAP and Qpopper on the RaQ3 and RaQ4 
and plan to rebuild those daemons from the latest available sources. My 
intention is to release free and unofficial PKG and RPM files which upgrade 
these daemons to the latest versions.

The RaQ3 and RaQ4 use the University of Washington IMAP version 4rev1 v12.264. 
SUN/Cobalt is kinda misleading about that fact - by accident or intent. When 
you query the RPM database it returns back that imap-4.7c2-C1 is installed. 
However, the IMAP daemon is not imap-4.7 as one might guess from looking at 
the version of the installed RPM package. It's in fact the vulnerable 
imap-4rev1 v12.264 instead.

A vulnerability exists in version 12.264 of the University of Washington IMAPd 
server (UM-IMAP), implementing IMAP4rev1. This weakness could allow a logged 
in user to execute arbitrary code. As far as is known this does not allow the 
user to get root access, instead the code or shell is executed with the 
user's privileges. Which is worse enough.

The installed Qpopper is slightly better off. It's version 3.02 and should fix 
all security issues which 3.01 and especially 2.53 had.

However, Qpopper-4.0.4 is out and aside from TLS/SSL support it's (according 
to Eudora/Qualcom) 1000-times faster on startup and one third faster at 
session end.

I fetched the SRPMs which SUN/Cobalt used to build those daemons presently on 
the RaQ4, but I'm looking for feedback and input people who have already 
installed a newer IMAP and/or Qpopper from the sources. 

What obstacles did you run into?
Did you use any special configure options? (if so, which and why)

-- 

With best regards

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer