> The website still offers 6.0.7 (vulnerable) version for download, > So apparently no workaround exists except for shutting it down until > the patch or newer version is available. I got this in response to my enquiry with AltN about a fix for the problem: > This has been fixed in 6.5 which will be released later today. > If you are under valid upgrade protection you should get it for > free. I have just installed and tested 6.5 and it appears not to be vulnerable: +OK somedomain.com POP MDaemon 6.5.0 ready <MDAEMON-F200210300930.AA305746MD1473@somedomain.com> user blah +OK blah... Recipient ok pass 123456 +OK blah@somedomain.com's mailbox has 11 total messages (33599 octets). uidl 2147483648 +OK 1 MD50000008792:MSG:1168:29523767:3598244718 [...] 11 MD50000008802:MSG:4200:29523957:978208478 . uidl 2147483649 +OK 1 MD50000008792:MSG:1168:29523767:3598244718 [...] 11 MD50000008802:MSG:4200:29523957:978208478 . uidl 123456789012345678901234567890 -ERR no such message quit +OK blah@somedomain.com somedomain.com POP Server signing off (11 messages left) Note that for large integers it just returns from the UIDL command as if no argument were passed at all, but for even larger strings of digits, it errors that no such message exists. Basil Hussain
