MGASA-2021-0462

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2021-0462.html

Import Source

https://advisories.mageia.org/MGASA-2021-0462.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2021-0462

Related

Published

2021-10-06T19:41:56Z

Modified

2021-10-06T19:13:05Z

Summary

Updated opendmarc packages fix security vulnerability

Details

OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field (CVE-2019-20790).

OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring (CVE-2020-12272).

OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarcxmlparse that can result in a one-byte heap overflow in opendmarcxml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREVINUSE flag (CVE-2020-12460).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:8 / opendmarc

Package

Name: opendmarc
Purl: pkg:rpm/mageia/opendmarc?distro=mageia-8

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.1.1-1.mga8

Ecosystem specific

{
    "section": "core"
}