Your message dated Sat, 25 Nov 2023 15:34:37 +0000
with message-id <[email protected]>
and subject line Bug#1041107: fixed in opendkim 2.11.0~beta2-9
has caused the Debian Bug report #1041107,
regarding opendkim: CVE-2022-48521
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041107: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041107
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: opendkim
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for opendkim.
CVE-2022-48521[0]:
| An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x
| through 2.11.0-Beta2. It fails to keep track of ordinal numbers when
| removing fake Authentication-Results header fields, which allows a
| remote attacker to craft an e-mail message with a fake sender
| address such that programs that rely on Authentication-Results from
| OpenDKIM will treat the message as having a valid DKIM signature
| when in fact it has none.
https://github.com/trusteddomainproject/OpenDKIM/issues/148
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-48521
https://www.cve.org/CVERecord?id=CVE-2022-48521
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: opendkim
Source-Version: 2.11.0~beta2-9
Done: David Bürgin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
opendkim, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
David Bürgin <[email protected]> (supplier of updated opendkim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 19 Nov 2023 21:12:46 +0100
Source: opendkim
Architecture: source
Version: 2.11.0~beta2-9
Distribution: unstable
Urgency: medium
Maintainer: David Bürgin <[email protected]>
Changed-By: David Bürgin <[email protected]>
Closes: 1041107
Changes:
opendkim (2.11.0~beta2-9) unstable; urgency=medium
.
[ David Bürgin ]
* debian/patches: Add missing upstream bug metadata, add new patches:
- rev-ares-deletion.patch: Delete Authentication-Results headers in
reverse, addresses CVE-2022-48521 (Closes: #1041107).
- ares-missing-space.patch: Add missing space in Auth-Results header.
* Replace transitional libldap2-dev with libldap-dev in Build-Depends.
* Remove obsolete lsb-base dependency in opendkim package.
* Delete obsolete entries in debian/opendkim.NEWS.
.
[ Samuel Thibault ]
* d/rules: Generalize hurd-i386 into hurd.
Checksums-Sha1:
5c5b8ba374fffcabb86c3346a9c59669c407e2e4 2488 opendkim_2.11.0~beta2-9.dsc
3883e8ff43a7101dea134d5127e787198bee4645 30464
opendkim_2.11.0~beta2-9.debian.tar.xz
c1e75aca299d36a828f95ccd46c44aff72466252 11109
opendkim_2.11.0~beta2-9_amd64.buildinfo
Checksums-Sha256:
30a005153c32978ec6aa9b818717aabaeed3f6b410cb7b79c8b3ea32b17912af 2488
opendkim_2.11.0~beta2-9.dsc
b0ed39359c9507ab8fdddc7a9e6ecd35cabe68a58c7d64890dd0e141a3911e26 30464
opendkim_2.11.0~beta2-9.debian.tar.xz
cf8c358d7004a390f6efe718440e362d65c3b6a7f48391170b070ede3f35ca26 11109
opendkim_2.11.0~beta2-9_amd64.buildinfo
Files:
a6796fd5a385842fe9ee28587b33ca4e 2488 mail optional opendkim_2.11.0~beta2-9.dsc
cfd88d852b4d676ca75d23155fee97cc 30464 mail optional
opendkim_2.11.0~beta2-9.debian.tar.xz
cdc327b9f52fbd4649f66c7d1f71c7f9 11109 mail optional
opendkim_2.11.0~beta2-9_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmViDzYACgkQkWT6HRe9
XTbSvQ/9HSKogeq288cJjSXa0ldVqKz1H+64VNnIoWSzFtZB77O0zN5FtInNQSe5
DNBEYtCjDXvvjkzEiiVWu1rkeDVZZpHs5LAv83c21+z7BL2dT2dmuKa5uyt+blhL
GpNyBk7+n7Zphzs/v7PBPSM/9zUMVOSlKKL8yEtvbZeYFrzg5zS36zm0LzWOlR7p
u0ix0A4B6qpiPjyzT/g+uweFBYzk8fKU18pzLdpkWbDGwnuiu2H/J2g0J6+l5bTs
2+TMZEawCjSoJa5wc2pNOr+f0Gd/dyvFN2ybiooYQRFbrxin5GDmnekJQLHvI67L
vl0RfFuLEQuzVHVcygm9spJnG2ODaw0sKDnV5R5GPF/T+lm4Wc3//dED+3jzNMlR
XOL2xIzyU/gRyPPNsWZa/PeZp0sKe1ZXPknliTkmUrn7w4TWVlsQ5g4CmjFdsLad
zzTqM4fRipBVV9YfGfEPlMbi2dvjiEXep+9jVJcPV6+sJA1+0U9EzFqnFSGWwHYM
9mOkSI3dbBp4lZGVDxUuZcO8Mf+lQA0390UVbGeR3+lqv/jvAetO5PFRoKnrtg5t
JOEVzV6QUJ9TiZ449EGfZMnCxcd2RITV9eT07ZQJKAUtNapBnar8xd+fki+EHNrG
A4tzQrZ6+qQD3qaj1KgJhe4UNOe/TNcJHwDIJd3DDELwtATSYHE=
=tVP3
-----END PGP SIGNATURE-----
--- End Message ---