Bug#977767: opendmarc: CVE-2020-12272
On Sat, May 29, 2021 at 10:43:21AM +0200, David Bürgin wrote: > > This appears to have been fixed in > > https://github.com/trusteddomainproject/OpenDMARC/commit/f3a9a9d4edfaa05102292727d021683f58aa4b6e, > > could we get that in Bullseye? > > This isn’t the only commit for CVE-2020-12272. Thanks, can you please provide the additional commits needed that so we can update the Debian Security Tracker? > I have been preparing OpenDMARC 1.4.1.1 for bookworm in Salsa. I’m also > preparing patches for all open CVEs for bullseye. Unless Scott wants to > push this forward faster, I expect the patches to be in the first > security update or so. Better let's push these to bullseye before it gets released, then. Security fixes are perfectly fine during the current freeze still. Cheers, Moritz
Bug#977767: opendmarc: CVE-2020-12272
This appears to have been fixed in https://github.com/trusteddomainproject/OpenDMARC/commit/f3a9a9d4edfaa05102292727d021683f58aa4b6e, could we get that in Bullseye? This isn’t the only commit for CVE-2020-12272. I have been preparing OpenDMARC 1.4.1.1 for bookworm in Salsa. I’m also preparing patches for all open CVEs for bullseye. Unless Scott wants to push this forward faster, I expect the patches to be in the first security update or so.
Bug#977767: opendmarc: CVE-2020-12272
Am Sun, Dec 20, 2020 at 02:15:34PM +0100 schrieb Salvatore Bonaccorso: > Source: opendmarc > Version: 1.4.0~beta1+dfsg-3 > Severity: important > Tags: security upstream > Forwarded: https://sourceforge.net/p/opendmarc/tickets/237/ > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > Control: found -1 1.3.2-6+deb10u1 > Control: found -1 1.3.2-6 > > Hi, > > The following vulnerability was published for opendmarc, filling for > tracking purposes in the BTS. > > CVE-2020-12272[0]: > | OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject > | authentication results to provide false information about the domain > | that originated an e-mail message. This is caused by incorrect parsing > | and interpretation of SPF/DKIM authentication results, as demonstrated > | by the example.net(.example.com substring. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-12272 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12272 > [1] https://sourceforge.net/p/opendmarc/tickets/237/ This appears to have been fixed in https://github.com/trusteddomainproject/OpenDMARC/commit/f3a9a9d4edfaa05102292727d021683f58aa4b6e, could we get that in Bullseye? Cheers, Moritz
Bug#977767: opendmarc: CVE-2020-12272
Source: opendmarc Version: 1.4.0~beta1+dfsg-3 Severity: important Tags: security upstream Forwarded: https://sourceforge.net/p/opendmarc/tickets/237/ X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.3.2-6+deb10u1 Control: found -1 1.3.2-6 Hi, The following vulnerability was published for opendmarc, filling for tracking purposes in the BTS. CVE-2020-12272[0]: | OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject | authentication results to provide false information about the domain | that originated an e-mail message. This is caused by incorrect parsing | and interpretation of SPF/DKIM authentication results, as demonstrated | by the example.net(.example.com substring. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-12272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12272 [1] https://sourceforge.net/p/opendmarc/tickets/237/ Regards, Salvatore