{"id":"MGASA-2021-0462","summary":"Updated opendmarc packages fix security vulnerability","details":"OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows\nattacks that bypass SPF and DMARC authentication in situations where the HELO\nfield is inconsistent with the MAIL FROM field (CVE-2019-20790).\n\nOpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication\nresults to provide false information about the domain that originated an e-mail\nmessage. This is caused by incorrect parsing and interpretation of SPF/DKIM\nauthentication results, as demonstrated by the example.net(.example.com\nsubstring (CVE-2020-12272).\n\nOpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null\ntermination in the function opendmarc_xml_parse that can result in a one-byte\nheap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate\nreport. This can cause remote memory corruption when a '\\0' byte overwrites the\nheap metadata of the next chunk and its PREV_INUSE flag (CVE-2020-12460).\n","modified":"2026-04-16T04:44:31.798800712Z","published":"2021-10-06T19:41:56Z","upstream":["CVE-2019-20790","CVE-2020-12272","CVE-2020-12460"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0462.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29035"},{"type":"REPORT","url":"https://github.com/trusteddomainproject/OpenDMARC/issues/111"}],"affected":[{"package":{"name":"opendmarc","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/opendmarc?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.4.1.1-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0462.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}