alt Hacker NewsRight, and that fork is the only version of qmail people still run, and the bug they found was extremely funny given Bernstein's original qmail design (it was, if I remember right, a popen(3) vulnerability --- something that never would have showed up in Bernstein's code, but that's what happens when code gets abandoned, it gets picked up by people who don't really understand it). But it's hard to charge that vulnerability against the original qmail design.
(I don't think anyone should run qmail.)
Actually the original qmail still works fine.
However it has some compatibility problems with modern practices, the most significant being that it does not know TLS.
Having to use TLS is the main reason for running a qmail fork instead of the original.