[SECURITY] [DLA 2639-1] opendmarc security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2639-1] opendmarc security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Sun, 25 Apr 2021 13:20:20 +0530
Message-id: <[🔎] CAPP0f96J=5eZpTFvA_APFzOnAMbBMjn3_13wiPFSxKgsi8v=cA@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2639-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
April 25, 2021                              https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : opendmarc
Version        : 1.3.2-2+deb9u3
CVE ID         : CVE-2020-12460
Debian Bug     : 966464

It was discovered that OpenDMARC, a milter implementation of DMARC,
has improper null termination in the function opendmarc_xml_parse that
can result in a one-byte heap overflow in opendmarc_xml when parsing a
specially crafted DMARC aggregate report. This can cause remote memory
corruption when a '\0' byte overwrites the heap metadata of the next
chunk and its PREV_INUSE flag.

For Debian 9 stretch, this problem has been fixed in version
1.3.2-2+deb9u3.

We recommend that you upgrade your opendmarc packages.

For the detailed security status of opendmarc please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/opendmarc

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCFHvgACgkQgj6WdgbD
S5bUDg/8CM67T/PokGkZKrkpAh3QJqKXfgyb2ACRgByAFxgZdrimq/M8xCk1wQOa
nvL1YLwJIl7G3CHQEu4TjZRdCabZLfedLroCBJNOabsvREyDxvgZiRr/f4xUh3+/
8XVKBh37hnjNlxu2loQTUwdgjtNUO7xlV6YWmlAkDG9qnXgjv5YvJ+rAhev+s/8Z
HDKREDlWWQv5/cFt2GwWpIuER0qRz1ZXK16qZiubYb26UW9Jpf6FBqt1Rf0Ej4bf
cSiQB8sOUoyWyVbJk/nzkuOc2oJKwUWp/DeVzow1xJoOI6OINUOUxsOQXRyg1WBu
6bRiLhaamY7bD/2hDMpsn/S7wWx2Ht+rsQ3sfwlJYsc8RNTR98qZ0JWEdCTQBVDT
P5PCBE62uO40qBYiUf2xF740wpUoRqOqKEbAhMsJOL35H3GeuD+JjpOoMXYVG8Wx
HRVDtppzwT6Hx11boeyYqYWJ34rFLJltJ1yVCNLkGzjBWh/pxFm9/HH3/qrpd1Gq
eOpJfuL//XMe3awbuNhoxaZ+YpJCKXeWa+zASvguz8vNtQ6BVlOz1oXlNJVlMe3D
3szjvJVRaWmhcQz6ZRZ0Y9ZSLcM64T8/V+LvbSEvmsU/5qecUuFMoZlsHlGooCt3
KUrXDVtFULHojaeamwNkLJ/msf1990tQB8cg2CbB2t0FopQheM4=
=OvqJ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2638-1] jackson-databind security update
Next by Date: [SECURITY] [DLA 2640-1] gst-plugins-good1.0 security update
Previous by thread: [SECURITY] [DLA 2638-1] jackson-databind security update
Next by thread: [SECURITY] [DLA 2640-1] gst-plugins-good1.0 security update
Index(es):
- Date
- Thread