Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6356-1

Ubuntu Security Notice 6356-1 - Jianjun Chen, Vern Paxson and Jian Jiang discovered that OpenDMARC incorrectly handled certain inputs. If a user or an automated system were tricked into receiving crafted inputs, an attacker could possibly use this to falsify the domain of an e-mails origin. Patrik Lantz discovered that OpenDMARC incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

Packet Storm
#vulnerability#ubuntu#dos

==========================================================================
Ubuntu Security Notice USN-6356-1
September 11, 2023

opendmarc vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 20.04 LTS
  • Ubuntu 18.04 LTS
  • Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in OpenDMARC.

Software Description:

  • opendmarc: Open Source implementation of the DMARC specification

Details:

Jianjun Chen, Vern Paxson and Jian Jiang discovered that OpenDMARC
incorrectly handled certain inputs. If a user or an automated system were
tricked into receiving crafted inputs, an attacker could possibly use this
to falsify the domain of an e-mails origin. (CVE-2020-12272)

Patrik Lantz discovered that OpenDMARC incorrectly handled certain inputs.
If a user or an automated system were tricked into opening a specially
crafted input file, a remote attacker could possibly use this issue to
cause a denial of service. (CVE-2020-12460)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
libopendmarc2 1.3.2-7ubuntu0.1
opendmarc 1.3.2-7ubuntu0.1

Ubuntu 18.04 LTS:
libopendmarc2 1.3.2-3ubuntu0.2
opendmarc 1.3.2-3ubuntu0.2

Ubuntu 16.04 LTS (Available with Ubuntu Pro):
libopendmarc2 1.3.1+dfsg-3ubuntu0.1~esm1
opendmarc 1.3.1+dfsg-3ubuntu0.1~esm1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6356-1
CVE-2020-12272, CVE-2020-12460

Package Information:
https://launchpad.net/ubuntu/+source/opendmarc/1.3.2-7ubuntu0.1
https://launchpad.net/ubuntu/+source/opendmarc/1.3.2-3ubuntu0.2

Related news

CVE-2020-12460: opendmarc

OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag.

CVE-2020-12272: opendmarc / Tickets / #237 Security Bugs: authentication results injections attacks affecting OpenDMARC that can bypass DMARC authentication

OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject authentication results to provide false information about the domain that originated an e-mail message. This is caused by incorrect parsing and interpretation of SPF/DKIM authentication results, as demonstrated by the example.net(.example.com substring.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution