[VIM] [Fwd: Re: Buffer overflow in BusinessMail email server system 4.60.00]

[Steve Tornio]

-------- Original Message --------
Subject: Re: Buffer overflow in BusinessMail email server system 4.60.00
Date: Mon, 4 Jun 2007 12:30:47 -0400
From: Ian Turner <iant at netcplus.com>
Reply-To: Ian Turner <iant at netcplus.com>
To: Steve Tornio <steve at vitriol.net>

In your message regarding Re: Buffer overflow in BusinessMail email 
server system 4.60.00 dated
Mon, 04 Jun 2007 11:22:43 -0500, Steve Tornio said that ...

> iant at netcplus.com wrote:
> > This problem was corrected within 14 days, and a new SMTP server was provided on our web site. This was back in 2005, we are
now almost TWO YEARS ON, and you still claim it is a problem.
> > 
> 
> It is unclear who "you" is supposed to be here.  I'm guessing this is 
> the vulnerability referred to by:
> 
> OSVDB 18407
> CVE 2005-2472
> ISS 21636
> Secunia 16306
> Bugtraq 14434

There were several links to these, all headed as both SmartServer and 
BusinessMaiil.
I didnt notice yor internal ID


> None of these indicate a solution is available.

Correct, and yet there is. And we emailed bugtraq with that information 
back at that (now long off)
time.


> The Mail List post reporting this vulnerability was 
> http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0002.html
> 
> In the post, it says that a patch will soon be available.  A quick 
> glance at the download page at http://www.netcplus.com/downloads.html 
> doesn't reveal a link to download the patch for 4.6.  I also don't see 
> any advisory for users of 4.6 that a patch is available.

That is because it is already wrapped into the FREE upgrade to the 4.7 
release.

> We will be happy to update our entry at osvdb.org, after verifying that 
> a patch exists for 4.6, and an upgrade to 4.7 also solves the problem. 
> Is that correct?

Customers can visit the upgrades page of our site and download the 4.7 
upgrade. That IS NOW the fix
for the 4.6 vulenrability.
As we no loonger ship 4.6 we felt it irrelevant to continue to have a 
link to a fix that is in the
latest free upgrade anyway.

You can download a full Buinessmail install to allow you to test this 
very simple fix out for
yourself

Thanks !
Ian Turner

> 
> Thanks,
> Steve Tornio
> osvdb.org
> 
> > You **were** notified of the release of the fix, and we have many other confirmations that it is indeed a good fix.
> > 
> > We are now at 4.7 of BusinessMail, and that also still blocks this "vulenrability", and yet you continue to publich out of
ate dand inaccurate information as being the truth.
> > 
> > Kindly update your published information as relevant to reflect the true facts of this buglet.
> > 
> > You can download an evaluation BusinessMail system from our web site to test this for yourself if you still do not beleive us.
> > 
> > Thank You
> > 
> > 
> 
> 
> 



-- 
-----------------------------------------------
Ian Turner
NetcPlus Internet Solutions, Inc.
http://www.netcplus.com
-----------------------------------------------
Developers of the powerful and flexible
BUSINESSMAIL EMAIL SERVER SYSTEM
and NETCFAX NETWORKED FAX SYSTEM
designed especially for small to medium
sized business networks.






This correspondence is for the named person's use only.
It may contain confidential or legally privileged
information or both.  No confidentiality or  privilege
is waived or lost by any mistransmission.  If you receive
this correspondence in error, please immediately
notify  the sender, then delete it from your system.
You must not disclose, copy or relay any part of
this  correspondence if you are not the intended
recipient. Any opinions expressed in this message
are those of the   individual sender,  except where
the sender expressly,  and with authority, states
them to be the opinions of either  the sender themselves
or any other organisation that may  be formally
connected to it.