Serious Security – How ‘special case’ code blew a hole in OpenSMTPD – Naked Security


If there’s one open source project with an unashamedly clear focus on security, it’s the OpenBSD operating system.

In its own words, its efforts “emphasize portability, standardization, correctness, proactive security and integrated cryptography.”

Indeed, numerous sub-projects under the OpenBSD umbrella have become well-known cybersecurity names in their own right, notably OpenSSH – which ships with almost every Linux distribution and, since Windows 10, with Windows – and LibreSSL.

There’s also OpenSMTPD, a mail server that aims to allow “ordinary machines to exchange emails with other systems speaking the SMTP protocol”, for example to let you run a mail server of your own instead of relying on cloud services like Gmail or Outlook.com.

Well, if you do use OpenSMTPD, you need to make sure you’re not vulnerable to a recently-disclosed bug that could let a crook take over your server simply by sending an email containing evil commands.

Being security-conscious doesn’t stop the OpenBSD project from writing buggy code…

…but it has made the core team very quick at responding when bugs are reported, which is what happened in this case.