Your message dated Sat, 19 Sep 2020 08:37:57 +0000
with message-id <[email protected]>
and subject line Bug#966464: fixed in opendmarc 1.4.0~beta1+dfsg-3
has caused the Debian Bug report #966464,
regarding opendmarc: CVE-2020-12460
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
966464: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966464
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: opendmarc
Version: 1.4.0~beta1+dfsg-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/trusteddomainproject/OpenDMARC/issues/64
X-Debbugs-Cc: Debian Security Team <[email protected]>
Control: found -1 1.3.2-6+deb10u1
Control: found -1 1.3.2-6
Hi,
The following vulnerability was published for opendmarc.
CVE-2020-12460[0]:
| OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper
| null termination in the function opendmarc_xml_parse that can result
| in a one-byte heap overflow in opendmarc_xml when parsing a specially
| crafted DMARC aggregate report. This can cause remote memory
| corruption when a '\0' byte overwrites the heap metadata of the next
| chunk and its PREV_INUSE flag.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-12460
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12460
[1] https://github.com/trusteddomainproject/OpenDMARC/issues/64
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: opendmarc
Source-Version: 1.4.0~beta1+dfsg-3
Done: =?utf-8?q?David_B=C3=BCrgin?= <[email protected]>
We believe that the bug you reported is fixed in the latest version of
opendmarc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Bürgin <[email protected]> (supplier of updated opendmarc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 19 Sep 2020 08:40:47 +0200
Source: opendmarc
Architecture: source
Version: 1.4.0~beta1+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Scott Kitterman <[email protected]>
Changed-By: David Bürgin <[email protected]>
Closes: 965284 966464
Changes:
opendmarc (1.4.0~beta1+dfsg-3) unstable; urgency=high
.
* Cherry-pick patch for CVE-2020-12460 from upstream:
- Add proper null-termination in opendmarc_xml_parse (Closes: #966464)
* Shut down debconf with db_stop in opendmarc.postinst,
patch by "B.R.S.Roso" <[email protected]> (Closes: #965284)
* Add missing DEP-3 headers tracking upstream bug in d/patches
Checksums-Sha1:
e8af16bea41c757f86be3b801b10c32333bed90c 2178 opendmarc_1.4.0~beta1+dfsg-3.dsc
862b4af23a3cfa4510ad7c43e2e16d2bc8d21712 26684
opendmarc_1.4.0~beta1+dfsg-3.debian.tar.xz
Checksums-Sha256:
3f605f02ba0db8557c7a2e4cfd1b134cbdc3a0e0fdeeba0757a699d3a420d83d 2178
opendmarc_1.4.0~beta1+dfsg-3.dsc
18ca960698b045ad43455f6ed76dc452eea3f18ca1f9901cc744f13105504e4d 26684
opendmarc_1.4.0~beta1+dfsg-3.debian.tar.xz
Files:
bb19463587886163cad4c97a896cb345 2178 mail optional
opendmarc_1.4.0~beta1+dfsg-3.dsc
81ae45494833be2bcf0b1d930b197fd5 26684 mail optional
opendmarc_1.4.0~beta1+dfsg-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZaEt9P4xrWusTXauM1X01jtYIcwFAl9lwa0ACgkQM1X01jtY
Icz1oxAAsptLm9qoxi4B6A7P+sYNyD8secV1S8I4l2wN6dk03c+dPG2IomjGRtJn
6KQA/1CjnXnmf3O2TDs7rP/wLVCrOwyXxfwFChOKD7CxJVgOwnRBanklKx4M+k0I
+p2RpQQJ8Nf9IhHfX0PwaDJRk488pSNfrqHLG7SlKuQmG7WGB8NctyrBIAjTnWOJ
o7rYNUP4DmXXwPIyk3/p3dOuXRvy0s0p2XuT778OEi/l7tkAjlqLO6ndDBHDaTNY
flCs2dHTXPQAqJAbcfe/jJgIaCL/S83qroBWztvve8Kx+L/z63X8aQG0fPgbUdoW
bBNm7P2+9MsahCWgemsjPJVXcdw+D9Np8TbaeSaAh+2/dxQlcTrheblPnIgd5ZnI
Qw9qnHwAOcPh3roC32UrKPr6aCoDSvTnTYoBIHEaj/NXF7zZpRivZiuTvsRnXtaM
+fHQ1tw/0n7Q201nVBQV3/iHSuWNE29uoilLWzHkztyBUe/puPhNgQsdsDCsUjQh
o3q3rQFH7bo9gXSSxPumj/o69+oLHpdvJrHkxecsUC/I3xLI+2Vw5JbCBDf7AyHA
UdybT7thrdcv2ORNOlqDJcbuW+qh1blizQS+aKJAPyVwbR4l6pZfPWsLgXhf2kUX
5bkKRpCNntvEngwoVm7J+Nh8vj59tMRzWZaG6LgI+DzdVLbTFu8=
=Ij71
-----END PGP SIGNATURE-----
--- End Message ---
