Re: Remotely triggerable buffer overflow in OpenSMTPD

On Mon, Oct 05, 2015 at 12:38:50AM +0200, Jason A. Donenfeld wrote: > Hi folks, > > I'm passing the gauntlet for anyone who wants to analyze this for > impact etc. There's a remotely triggerable buffer overflow in > OpenBSD's OpenSMTPD -- the latest version, 5.7.2 -- reachab

Re: Remotely triggerable buffer overflow in OpenSMTPD

> On 05 Oct 2015, at 00:38, Jason A. Donenfeld wrote: > > At some point we might want a CVE for this. > Please, next time you publish such a security issue -- give developers a chance to provide patches, *before* going public. Think of the production servers which run

Re: Remotely triggerable buffer overflow in OpenSMTPD

On Mon, Oct 05, 2015 at 10:38:34AM +0200, Joerg Jung wrote: > > > On 05 Oct 2015, at 00:38, Jason A. Donenfeld wrote: > > > > At some point we might want a CVE for this. > > > > Please, next time you publish such a security issue -- give developers a > chance > to provide

Remotely triggerable buffer overflow in OpenSMTPD

Hi folks, I'm passing the gauntlet for anyone who wants to analyze this for impact etc. There's a remotely triggerable buffer overflow in OpenBSD's OpenSMTPD -- the latest version, 5.7.2 -- reachable by sending messages with huge header lines. Qualys recently published a result of a big audit