Re: [Courier-imap] Ubuntu bugs: pop3 and imap tls plaintext command injection
Brought to you by:
mrsam
Menu
▾
▴
Re: [Courier-imap] Ubuntu bugs: pop3 and imap tls plaintext command injection
|
From: Sam V. <mr...@co...> - 2013-10-28 23:16:39
|
Jakob Bohm writes: > That said, I think it would be slightly safer, just in case the issue > becomes real, for courier to treat this particular protocol violation > as fatal and abort the connection before or during the TLS negotiation. > > However this since this is mostly a hypothetical problem at this stage, > I don't think it warrants an out-of-schedule security update or > advisory, just something to tweak later. That's pretty much the same conclusion I reached. This is not an issue at present. Nothing can be accomplished by exploiting it that an attacker in position to exploit it cannot already accomplish via other means. This is something that can be addressed at some convenient time later. I wouldn't abort it, just flush it away. That's what other implementations picked to do. |
