CVE-2020-12272 (https://nvd.nist.gov/vuln/detail/CVE-2020-12272): OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.
* CVE-2019-20790 Description: "OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field." URL: https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816 URL: https://sourceforge.net/p/opendmarc/tickets/235/ URL: https://github.com/trusteddomainproject/OpenDMARC/pull/48
FWICS, current stable version in tree (1.4.1.1) should fix that? See: https://github.com/trusteddomainproject/OpenDMARC/blob/master/RELEASE_NOTES
(In reply to Conrad Kostecki from comment #2) > FWICS, current stable version in tree (1.4.1.1) should fix that? > > See: > https://github.com/trusteddomainproject/OpenDMARC/blob/master/RELEASE_NOTES I see the fix for CVE-2019-20790, but not CVE-2020-12272.
New URL points reporter to https://github.com/trusteddomainproject/OpenDMARC/tree/master/SECURITY, which has details on these two CVEs. A fixed version isn't listed for CVE-2019-20790, but 1.4.1 is the fix for CVE-2020-12272.
Both fixes are in 1.4.1: https://github.com/trusteddomainproject/OpenDMARC/issues/191#issuecomment-967339831
