Victor Duchovni:
> On Tue, Mar 08, 2011 at 12:59:15PM +1100, Brad Hards wrote:
>
> > On Tue, 8 Mar 2011 07:08:09 am Wietse Venema wrote:
> > > This is a writeup about a flaw that I found recently, and that
> > > existed in multiple implementations of SMTP (Simple Mail Transfer
> > > Protocol) over TLS (Transport Layer Security) including my Postfix
> > > open source mailserver. I give an overview of the problem and its
> > > impact, technical background, how to find out if a server is affected,
> > > fixes, and draw lessons about where we can expect similar problems
> > > now or in the future. A time line is at the end.
> >
> > Thanks for the write-up.
>
> It is a bit disappointing that very few of the potentially impacted
> vendors, and some definitely impacted vendors are yet to respond to
> the vulnerability:
>
> http://www.kb.cert.org/vuls/id/555316
>
> Some email appliance vendors are not on the list. Apart from Postfix,
> Qmail, and some large mailbox hosting providers, which are already
> fixed, the issue will likely linger in less visible products for
> some time...
It's easy enough to make the one-line change to openssl source, so
that people can check for this now if they are concerned.
I would expect that penetration test toolkits will eventually look
for starttls plaintext injection vulnerabilities. But that may
take a while.
Publishing "shame" lists on the web is better done by people who
work for organizations with no commercial interest in the issue.
Wietse
