Re: IMP error: 'document contained no data'

To: Matthew Thompson <mattyt@oz.net>
Cc: debian-user@lists.debian.org
Subject: Re: IMP error: 'document contained no data'
From: Adam Lazur <adam@lazur.org>
Date: Wed, 18 Oct 2000 16:12:14 -0400
Message-id: <20001018161214.A14072@lazur.org>
In-reply-to: <Pine.LNX.3.96.1001018124052.28826A-100000@doma.mattyt.net>; from mattyt@oz.net on Wed, Oct 18, 2000 at 12:43:36PM -0700
References: <20001018150622.A13495@lazur.org> <Pine.LNX.3.96.1001018124052.28826A-100000@doma.mattyt.net>

Matthew Thompson (mattyt@oz.net) said:
> Thanks for the reply, Adam.  Seeing as I'm really only a quasi-nerd :),
> can you tell me just how serious the security hole is?  I can use Pine for
> my email on the server in question, but I was just about to set up IMP as
> the primary mail system here at work, and I obviously don't want to do
> that if users can't send messages or if there's a significant security
> hole.

It's a remote root exploitable bug. The published temp fix with the (old)
exploitable version is to disable error logging to avoid the format string
problems.

You can do this by making sure your /etc/php3/apache/php3.ini has the
line:

log_errors = Off

It's up to you to assess if you want imp to work with the old version and
no error logging (which I think is default on debian) or if it's too
risky.

.adam

-- 
[                <adam@lazur.org> <laz@clustermonkey.org>                ]
[              icq #3354423 | lazur.org | clustermonkey.org              ]

Reply to:

References:
- Re: IMP error: 'document contained no data'
  - From: Adam Lazur <adam@lazur.org>
- Re: IMP error: 'document contained no data'
  - From: Matthew Thompson <mattyt@oz.net>

Prev by Date: Re: Printing from browser
Next by Date: Re: Samba 2.0.7 homes share problem with NT 4.0: Network name cannot be found
Previous by thread: Re: IMP error: 'document contained no data'
Next by thread: Re: IMP error: 'document contained no data'
Index(es):
- Date
- Thread