Date: Thu, 30 Dec 2021 03:25:53 GMT From: Philip Paeps <philip@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: af45137ac99e - main - security/vuxml: OpenDMARC 1.3.2 vulnerabilities Message-ID: <202112300325.1BU3PrMq038262@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by philip: URL: https://cgit.FreeBSD.org/ports/commit/?id=af45137ac99e6fa40aaba0cfdca4f3c9ced89eb5 commit af45137ac99e6fa40aaba0cfdca4f3c9ced89eb5 Author: Dan Mahoney <freebsd@gushi.org> AuthorDate: 2021-12-29 04:41:37 +0000 Commit: Philip Paeps <philip@FreeBSD.org> CommitDate: 2021-12-30 03:23:33 +0000 security/vuxml: OpenDMARC 1.3.2 vulnerabilities PR: 240505 --- security/vuxml/vuln-2021.xml | 47 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index 2b46f0876bbc..c9d0922979a5 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,50 @@ + <vuln vid="937aa1d6-685e-11ec-a636-000c29061ce6"> + <topic>OpenDMARC - Multiple vulnerabilities</topic> + <affects> + <package> + <name>opendmarc</name> + <range><lt>1.4.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>OpenDMARC releases prior to 1.4.1 are susceptible to the following + vulnerabilities:</p> + <ul> + <li>(CVE-2019-16378) OpenDMARC through 1.3.2 and 1.4.x through + 1.4.0-Beta1 is prone to a signature-bypass vulnerability with + multiple From: addresses, which might affect applications that + consider a domain name to be relevant to the origin of an e-mail + message.</li> + <li>(CVE-2019-20790) OpenDMARC through 1.3.2 and 1.4.x, when used + with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC + authentication in situations where the HELO field is inconsistent + with the MAIL FROM field.</li> + <li>(CVE-2020-12272) OpenDMARC through 1.3.2 and 1.4.x allows + attacks that inject authentication results to provide false + information about the domain that originated an e-mail + message.</li> + <li>(CVE-2020-12460) OpenDMARC through 1.3.2 and 1.4.x through + 1.4.0-Beta1 has improper null termination in the function + opendmarc_xml_parse that can result in a one-byte heap overflow in + opendmarc_xml when parsing a specially crafted DMARC aggregate + report. This can cause remote memory corruption.</li> + </ul> + </body> + </description> + <references> + <cvename>CVE-2019-16378</cvename> + <cvename>CVE-2019-20790</cvename> + <cvename>CVE-2020-12272</cvename> + <cvename>CVE-2020-12460</cvename> + <url>https://github.com/trusteddomainproject/OpenDMARC/blob/rel-opendmarc-1-4-1-1/RELEASE_NOTES</url>; + </references> + <dates> + <discovery>2021-04-06</discovery> + <entry>2021-12-30</entry> + </dates> + </vuln> + <vuln vid="a4ff3673-d742-4b83-8c2b-3ddafe732034"> <topic>minio -- User privilege escalation</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202112300325.1BU3PrMq038262>