Hi Wietse, thanks for getting back to me so quickly. Please rest assured that I'm not looking for someone to blame. My motivation is to try to find out whether SEC's release process really has been as responsible as they claim:
> We strictly adhere to our responsible disclosure processes > (https://sec-consult.com/vulnerability-lab/responsible-disclosure-policy/) > and always contact affected vendors before any publication. But in this case > a lack of clarity in the communication and different interpretations of the > impact of the vulnerability led to assumptions from all parties involved on > who is affected, what the real impact could be and who has to be notified > before publication. Because to me it looks like they went through a lot of effort to talk to commercial vendors, investing weeks of communication with Cisco for example, but offloaded FLOSS contact to CERT/CC and made no effort to illustrate the scope of the attack. On Friday, 2023-12-22 18:17+01:00, Wietse Venema <wie...@porcupine.org> wrote: > CERT/CC reached out to Postfix developers. At no point were we made > aware that there was a successful SPF spoofing attack that required > the combination of TWO email services with SPECIFIC DIFFERENCES in > the way they handle line endings other than <CR><LF>. Just so I get this right: You've received information from CERT/CC that there's an attack that requires non-standard line endings, but you didn't know that it had been successfully exploited in the wild, and that the researches had identified Postfix as being vulnerable to it? I assume you've looked over the attack and decided "yeah, Postfix _would_ interpret this as two messages, but no serious server out there is actually _sending_ these broken lines without sanitizing them first"? Or maybe "okay then, Postfix will interpret this as two messages, but where's the problem"? And they haven't told you "look, Exchange is sending these, _and_ we've broken SPF/DMARC using that" either, thus leading to you misjudging the impact? I really appreciate you taking the time to reply even though you're clearly unhappy about the timing of the whole issue. Feel free to stop replying at any time, I don't want to be an additional burden. Thanks Tim. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
