Summary: | <mail-filter/opendmarc-1.4.1: Multiple vulnerabilities (CVE-2019-20790, CVE-2020-12272) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | grobian |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/trusteddomainproject/OpenDMARC/issues/191 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=734158 | ||
Whiteboard: | B4 [glsa? cve] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2020-04-27 18:44:35 UTC
* CVE-2019-20790 Description: "OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field." URL: https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816 URL: https://sourceforge.net/p/opendmarc/tickets/235/ URL: https://github.com/trusteddomainproject/OpenDMARC/pull/48 FWICS, current stable version in tree (1.4.1.1) should fix that? See: https://github.com/trusteddomainproject/OpenDMARC/blob/master/RELEASE_NOTES (In reply to Conrad Kostecki from comment #2) > FWICS, current stable version in tree (1.4.1.1) should fix that? > > See: > https://github.com/trusteddomainproject/OpenDMARC/blob/master/RELEASE_NOTES I see the fix for CVE-2019-20790, but not CVE-2020-12272. New URL points reporter to https://github.com/trusteddomainproject/OpenDMARC/tree/master/SECURITY, which has details on these two CVEs. A fixed version isn't listed for CVE-2019-20790, but 1.4.1 is the fix for CVE-2020-12272. Both fixes are in 1.4.1: https://github.com/trusteddomainproject/OpenDMARC/issues/191#issuecomment-967339831 |