Debian alert DLA-2639-1 (opendmarc)
| From: | Utkarsh Gupta <utkarsh@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 2639-1] opendmarc security update | |
| Date: | Sun, 25 Apr 2021 13:20:20 +0530 | |
| Message-ID: | <CAPP0f96J=5eZpTFvA_APFzOnAMbBMjn3_13wiPFSxKgsi8v=cA@mail.gmail.com> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2639-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta April 25, 2021 https://wiki.debian.org/LTS - ----------------------------------------------------------------------- Package : opendmarc Version : 1.3.2-2+deb9u3 CVE ID : CVE-2020-12460 Debian Bug : 966464 It was discovered that OpenDMARC, a milter implementation of DMARC, has improper null termination in the function opendmarc_xml_parse that can result in a one-byte heap overflow in opendmarc_xml when parsing a specially crafted DMARC aggregate report. This can cause remote memory corruption when a '\0' byte overwrites the heap metadata of the next chunk and its PREV_INUSE flag. For Debian 9 stretch, this problem has been fixed in version 1.3.2-2+deb9u3. We recommend that you upgrade your opendmarc packages. For the detailed security status of opendmarc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/opendmarc Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCFHvgACgkQgj6WdgbD S5bUDg/8CM67T/PokGkZKrkpAh3QJqKXfgyb2ACRgByAFxgZdrimq/M8xCk1wQOa nvL1YLwJIl7G3CHQEu4TjZRdCabZLfedLroCBJNOabsvREyDxvgZiRr/f4xUh3+/ 8XVKBh37hnjNlxu2loQTUwdgjtNUO7xlV6YWmlAkDG9qnXgjv5YvJ+rAhev+s/8Z HDKREDlWWQv5/cFt2GwWpIuER0qRz1ZXK16qZiubYb26UW9Jpf6FBqt1Rf0Ej4bf cSiQB8sOUoyWyVbJk/nzkuOc2oJKwUWp/DeVzow1xJoOI6OINUOUxsOQXRyg1WBu 6bRiLhaamY7bD/2hDMpsn/S7wWx2Ht+rsQ3sfwlJYsc8RNTR98qZ0JWEdCTQBVDT P5PCBE62uO40qBYiUf2xF740wpUoRqOqKEbAhMsJOL35H3GeuD+JjpOoMXYVG8Wx HRVDtppzwT6Hx11boeyYqYWJ34rFLJltJ1yVCNLkGzjBWh/pxFm9/HH3/qrpd1Gq eOpJfuL//XMe3awbuNhoxaZ+YpJCKXeWa+zASvguz8vNtQ6BVlOz1oXlNJVlMe3D 3szjvJVRaWmhcQz6ZRZ0Y9ZSLcM64T8/V+LvbSEvmsU/5qecUuFMoZlsHlGooCt3 KUrXDVtFULHojaeamwNkLJ/msf1990tQB8cg2CbB2t0FopQheM4= =OvqJ -----END PGP SIGNATURE-----