Hi Vijay, thank you very much for this detailed explanation. I found it especially useful to learn about CERT/CC's workflow, since people like me, who are neither security researchers nor maintainers of well-known software projects, have little insight into this. While I was able to reach VINCE's source code repository very fast, I was not able to find a good explanation on how the communication using it actually works, and what kind of information is shared by whom, and with whom.
So, in summary, I understood that from the initial description given by SEC, a) the way the attack works, b) the potential impact of spoofing SPF/DMARC, and above all c) that one might need to combine several different software products to perform the exploit, was not communicated explicitly enough, and thus the attack did not receive the attention that might have been warranted. According to SEC's timeline, this was still months before the release of their blog article, and therefore it's reasonable to assume that SEC themselves might not have fully explored the extent of the vulnerability they had discovered, or the degree to which FLOSS projects like Postfix or Sendmail were actually affected. Maybe they only learned about this later, when compiling their article. On Saturday, 2023-12-23 02:30+01:00, Vijay S Sarvepalli <vssarvepa...@cert.org> wrote: > Retrospectively, the most valuable thing we could have had is a Preview of > the Blog privately to all vendors impacted before releasing it. This is > something SEC could have done (or CERT/CC requested) that may have brought > more clarity for what exactly SEC Consult is talking about (or how much > bigger the research had become) and potentially delayed the disclosure to > give Vendors more time. I think this is a very good way to look at it, and a helpful lesson from this situation. Especially since, reading the article as it was published, it is obvious that SEC must have known the impact to Postfix and Sendmail. I understand their urge to notify Cisco customers about the problematic default configuration, but this was just bad timing and caused unnecessary stress for the Postfix maintainers and admins. Thanks again, and best regards Tim. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
