Описание
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| opendmarc | fixed | 1.4.0~beta1+dfsg-4 | package | |
| opendmarc | no-dsa | buster | package | |
| opendmarc | no-dsa | stretch | package |
Примечания
https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816
https://sourceforge.net/p/opendmarc/tickets/235/
https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
Issue is disputed upstream and considered "work as designed" (wontfix)
https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20790
Upstream reconsidering position:
https://github.com/trusteddomainproject/OpenDMARC/issues/158
EPSS
Связанные уязвимости
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, allows attacks that bypass SPF and DMARC authentication in situations where the HELO field is inconsistent with the MAIL FROM field.
EPSS