Re: [cobalt-users] [Qube2] Cobalt Security Advisory - 07.24.2000 - Qpopper

["dr. mikey." <mikey@xxxxxxxxxxxxxxxxx>]

jeff, a couple or three questions if you don't mind...

Jeff Lovell wrote:
> Qpopper 2.53 and older may permit an attacker who has
> access to a valid account to obtain a shell with group-id
> 'mail', potentially allowing read/write access to all mail.
> 
> The Cobalt Qube2 was updated in with the latest
> version of qpopper as of OS Update 3.0.  If you
> have not installed that update yet, it is recommended
> you do so as soon as possible.  It can be found
> at:
> 
> ftp://ftp.cobalt.com/pub/packages/qube2/eng/Qube2-Update-OS-2.0.pkg

(1) in the address above, shouldn't it be: 
ftp://ftp.cobalt.com/pub/packages/qube2/eng/Qube2-en-OSUpdate-3.0.pkg

(2) i have installed update 3.0 (ftp'd from the above url) on our qube2,
but when i telnet to the local host it reports that qpopper is still
running version 2.53.  what do you think went wrong here (i did look
inside the os 3.0 update, and of course the promissed qpopper rpm is
there)?  what, if anything, should i do now?

(3) after installing the os 3.0 pkg (through the gui), the
pop-before-smtp stopped working.  i thought perhaps the os 3.0 had
disabled or removed it, so i reinstalled the pkg, however, it still
didn't work untill i manually stopped and restarted the smtp server. 
(there really isn't a question here, more of a comment really, but just
to be safe i though i would mention it).  any thoughts?

thanks for the help,

mikey.

-- 
mike songster <mikey@xxxxxxxxxxxxxxxxx>
work1: http://www.biosearchtech.com
work2: http://www.chem.umn.edu/orgs/ampepsoc

spinning and spinning and spinning around...
                                       the feelies