The #SMTPSmuggling attack is being mitigated and tracked in the following CVEs:
- CVE-2023-51764 postfix
- CVE-2023-51765 sendmail
- CVE-2023-51766 exim
All three CVEs have been filed *today* by the community and NOT by SEC consult who discovered the flaw in June 2023 but decided to not share their findings with postfix, sendmail or exim. Only after they published their post on 2023-12-18, the communities have become aware and are now working hard to fix what is now more a 0day :(
What a wonderful way for open source developers to go into the holiday season. This gives the "push to prod on Friday" joke a whole new meaning. SEC consult made some sort of excuse for their behaviour of not sharing this earlier but will give a talk on the topic at 37C3 on day one nevertheless.