OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication
results to provide false information about the domain that originated an
e-mail message. This is caused by incorrect parsing and interpretation of
SPF/DKIM authentication results, as demonstrated by the
"OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field."
FWICS, current stable version in tree (18.104.22.168) should fix that?
(In reply to Conrad Kostecki from comment #2)
> FWICS, current stable version in tree (22.214.171.124) should fix that?
I see the fix for CVE-2019-20790, but not CVE-2020-12272.
New URL points reporter to https://github.com/trusteddomainproject/OpenDMARC/tree/master/SECURITY, which has details on these two CVEs.
A fixed version isn't listed for CVE-2019-20790, but 1.4.1 is the fix for CVE-2020-12272.
Both fixes are in 1.4.1: