Am Sun, Dec 20, 2020 at 02:15:34PM +0100 schrieb Salvatore Bonaccorso: > Source: opendmarc > Version: 1.4.0~beta1+dfsg-3 > Severity: important > Tags: security upstream > Forwarded: https://sourceforge.net/p/opendmarc/tickets/237/ > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 1.3.2-6+deb10u1 > Control: found -1 1.3.2-6 > > Hi, > > The following vulnerability was published for opendmarc, filling for > tracking purposes in the BTS. > > CVE-2020-12272[0]: > | OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject > | authentication results to provide false information about the domain > | that originated an e-mail message. This is caused by incorrect parsing > | and interpretation of SPF/DKIM authentication results, as demonstrated > | by the example.net(.example.com substring. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-12272 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12272 > [1] https://sourceforge.net/p/opendmarc/tickets/237/
This appears to have been fixed in https://github.com/trusteddomainproject/OpenDMARC/commit/f3a9a9d4edfaa05102292727d021683f58aa4b6e, could we get that in Bullseye? Cheers, Moritz
