Haraka and shellshock

It has recently been shown that Qmail is vulnerable to shellshock if you use a pipe filter in a .qmail file (as I do on one of my own machines).

I want Haraka users to know that if you have Haraka in front of Qmail, you are NOT vulnerable to this.
The reason being that Haraka validates MAIL FROM commands according to RFC 5321 rules, whereas Qmail does not – it simply passes any string through untested into the environment. I believe the same safety to be true of Qpsmtpd, though I have not tested it there.
All that said, upgrade your servers anyway. This is a nasty bug with multiple attack vectors.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s