January 30, 2020 4:44 PM, gil...@poolp.org wrote:
> It depends on your configuration, not all setups are vulnerable.
>
> I think I recall your name from the comments on my tutorial and this is a
> setup that would not be vulnerable for example. The bug still exists, but
> it can't be used to exploit the same code path.
>
> You should update, this is not something you want to rely on.
>
> I'm writing a _very_ detailed post-mortem which will go into the details,
> I just want to give it a few days to make sure it is as informative as it
> should.
>
As promised, I have written a (too much ?) detailed write-up about the recent
event:
https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
Hope it clarifies what happened and plans for the future.
Gilles
