SEC Consult is Irresponsible, Publishes Attack Code for Postfix a Week Before Christmas (When Developers Need Rest and Administrators Are Away, Won't Patch)
LAST week/end, i.e. before slowing down a lot (we too need to rest sometimes), we saw this article by Wietse Venema. It was last updated yesterday. "Unfortunately," Venema explains, "critical information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to postpone publication until after people had a chance to update their Postfix systems."
Timeline is specified as follows:
Dec 18 SEC Consult publishes an attack that involves the composition of two different email service behaviors.
Dec 19 Research and implement a fix for Postfix, start testing and Q/A.
Dec 20 Draft this response document at https://www.postfix.org/smtp-smuggling.html.
Dec 21 Address two problems found during validation (with BDAT and XCLIENT), update the Postfix 3.9 unstable release, and start patching the Postfix 3.5 .. 3.8 stable versions.
Dec 22: Publish updated source code releases for stable Postfix versions 3.8.4, 3.7.9, 3.6.13, 3.5.23.
Dec 22: last day before a 10+ day holiday break, start of production change freezes until early January.
Dec 24: someone (not at SEC Consult) created CVE-2023-51764. Unfortunately this contains many factual errors. Wietse has informed the person who requested the CVE.
TBD: OSS distributions publish updated packages for Postfix versions 3.8.4, 3.7.9, 3.6.13, 3.5.23.
Why did SEC Consult do this one week before Christmas? They love to talk about responsible disclosure and such; look at what they do themselves.
Could they not choose a better time for disclosure? Was the timing intentional? It ruins people's holidays, not just developers of Postfix. █