Really great article.
Was very fun to read.
And again thanks for your work on osmtpd, am actually sending from a
server set up from your poolp post :D
Sucks about the bug, but logic errors are the wurst.
Take care.
---
Aisha
blog.aisha.cc
On 2020-01-31 13:48, gil...@poolp.org wrote:
January 30, 2020 4:44 PM, gil...@poolp.org wrote:
It depends on your configuration, not all setups are vulnerable.
I think I recall your name from the comments on my tutorial and this
is a
setup that would not be vulnerable for example. The bug still exists,
but
it can't be used to exploit the same code path.
You should update, this is not something you want to rely on.
I'm writing a _very_ detailed post-mortem which will go into the
details,
I just want to give it a few days to make sure it is as informative as
it
should.
As promised, I have written a (too much ?) detailed write-up about the
recent event:
https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
Hope it clarifies what happened and plans for the future.
Gilles
