Lawrence Greenfield wrote:
> I've applied this patch against imapd.c. pop3d doesn't currently have > this problem since it never services more than one connection. Au Contraire, pop3d does indeed have the same problem. To duplicate it, you connect to the pop3s port with 'openssl s_client', QUIT, then quickly telnet into the pop3s port. You will get a non-SSL pop3 service response because argv got trashed by setproctitle(). Anything that has a service_main() that cares about **argv is potentially affected by this unless MAX_USE is set to -1 in master/service.h (At which point you might as well be just sticking the thing in inetd).
