Post Syndicated from jake original https://lwn.net/Articles/956533/

Normally, when a new vulnerability is discovered and releases are
coordinated with those affected, the announcement is done at
a convenient time—not generally right before the end-of-year holidays, for
example. The SMTP
Smuggling vulnerability has taken a different path, however, with its
announcement landing on December 18. That may well have been
unpleasant for some administrators that had not yet updated, but it was
particularly problematic for
some projects that had not been made aware of the vulnerability at
all—though it was known to affect several open-source mailers.