On Tue, Mar 08, 2011 at 12:59:15PM +1100, Brad Hards wrote:
> On Tue, 8 Mar 2011 07:08:09 am Wietse Venema wrote:
> > This is a writeup about a flaw that I found recently, and that
> > existed in multiple implementations of SMTP (Simple Mail Transfer
> > Protocol) over TLS (Transport Layer Security) including my Postfix
> > open source mailserver. I give an overview of the problem and its
> > impact, technical background, how to find out if a server is affected,
> > fixes, and draw lessons about where we can expect similar problems
> > now or in the future. A time line is at the end.
>
> Thanks for the write-up.
It is a bit disappointing that very few of the potentially impacted
vendors, and some definitely impacted vendors are yet to respond to
the vulnerability:
http://www.kb.cert.org/vuls/id/555316
Some email appliance vendors are not on the list. Apart from Postfix,
Qmail, and some large mailbox hosting providers, which are already
fixed, the issue will likely linger in less visible products for
some time...
--
Viktor.
