From kris@FreeBSD.org  Sat May  6 14:26:22 2000
Return-Path: <kris@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3227937BCB6; Sat,  6 May 2000 14:26:22 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id OAA16760;
	Sat, 6 May 2000 14:26:22 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Message-Id: <Pine.BSF.4.21.0005061423210.14022-100000@freefall.freebsd.org>
Date: Sat, 6 May 2000 14:26:22 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Adrian Penisoara <ady@freebsd.ady.ro>
Cc: FreeBSD-gnats-submit@freebsd.org,
	Dmitry Sivachenko <dima@Chg.RU>, security-officer@freebsd.org
In-Reply-To: <200005061756.UAA96831@ady.warpnet.ro>
Subject: Re: port update: mail/imap-uw from 4.7c1 to 4.7c2

>Number:         18420
>Category:       ports
>Synopsis:       Re: port update: mail/imap-uw from 4.7c1 to 4.7c2
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 07 01:10:18 PDT 2000
>Closed-Date:    Sun May 7 06:48:47 PDT 2000
>Last-Modified:  Wed Oct 26 05:56:07 GMT 2005
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:
 On Sat, 6 May 2000, Adrian Penisoara wrote:
 
 >  The author released yet another small update which fixes additional
 > buffer overflows in dummy.c and env_unix.c in src/osdep/unix.
 
 I didn't get the chance to look at this port yet, but given the above I'm
 inclined to keep the port FORBIDDEN for a while longer and give the author
 time to finish fixing whatever other security holes he can find. The only
 question is really how hard he's going to look for them.
 
 The alternative is reissuing advisories every time saying "whoops, the
 imap-uw port is insecure again".."now it's fixed".."oops, it's still
 insecure"
 
 Comments?
 
 Kris
 
 ----
 In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythe@alum.mit.edu>
 
 
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: steve 
State-Changed-When: Sun May 7 06:48:47 PDT 2000 
State-Changed-Why:  
Followup to another problem report. 
>Unformatted:
