Am 31. Januar 2020 18:48:51 GMT+00:00 schrieb gilles@poolp.org:
>January 30, 2020 4:44 PM, gilles@poolp.org wrote:
>
>> It depends on your configuration, not all setups are vulnerable.
>>
>> I think I recall your name from the comments on my tutorial and this
>is a
>> setup that would not be vulnerable for example. The bug still exists,
>but
>> it can't be used to exploit the same code path.
>>
>> You should update, this is not something you want to rely on.
>>
>> I'm writing a _very_ detailed post-mortem which will go into the
>details,
>> I just want to give it a few days to make sure it is as informative
>as it
>> should.
>>
>
>
>As promised, I have written a (too much ?) detailed write-up about the
>recent event:
>
> https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
>
>Hope it clarifies what happened and plans for the future.
>
>Gilles
Thank you very much Gilles for the insights.
It's not really your fault because it's how our brain works. If we want to get things working we are concentrating to get them working - not how to break them. It's amazing that the code worked like "intended" - that means you are a very good dev. Logical fallacies hit us every day - we are human.
I would give +1 to not to deliver mails directly to root.
No comments:
Post a Comment