Hey! Trying to get our first pilot project through our Security team. They have raised this advisory as a potential blocker. Can you provide information on how this issue impacts KumoMTA, and more broadly, your policy on patching issues such at this?
Hey there @exciting-lynx, thanks for posting. Please read the “Troubleshooting” and “How to Ask for Help” buttons below. If you would like a 1:1 support session from the KumoMTA team, details are at the “Book a Support Session” button below.
That one is present because of legacy DKIM needs. I think to exploit this for DKIM, the attacker would need to be an authorized sender and be able to submit mail, and observe the resulting signed mail that left the system. Or you block rsa as a signing option.
And even then, that would in theory pose a vulnerability to the DKIM signature they were using. Rotating keys is good of course, and we will implement any upstream fixes as they are available.
FWIW, the default configuration in kumomta is to prefer to use the openssl RSA implementation, which is 30% or more faster than that in the rsa crate. In that configuration, the rsa crate is not used for signing, which mitigates this advisory completely.
thank you.
any statement regarding security patching in general?
We regularly update our deps to the best available version in the main branch, and will do so to sweep and pick up any existing fixes for advisories in our dependencies as we’re made aware of them.
We don’t do patch releases for existing “stable” versions of kumomta, but we keep the main branch generally in a production-ready state so that we are never far from being able to cut and new stable build from it if the circumstances require it.
Any security scanning tools in use to validate the code? Snyk or the like?
(is there a Rust equivalent? heh)
We use Github’s dependabot to notify and manage rustsec advisories. We don’t use any other security related tooling at this time.
allright, thank you
FWIW, I’ve removed the rsa crate from the dep graph as part of dkim: remove usage of `rsa` crate · KumoCorp/kumomta@fa1dec6 · GitHub to really head this sort of thing off