Am 25.07.25 um 04:32 schrieb Moritz Orbach via Exim-users:
Hi all,
I don't trust libspf2 anymore because after almost 2 years it's still
unclear to me if CVE-2023-42118 is fixed or not (e.g.
https://bugs.gentoo.org/916493#c2).
In an attempt to replace it I wrote an ACL that checks SPF alignment
by running spfquery.pl from Mail::SPF. This works fine and adds the
Received-SPF-header, but I don't know how or if I can pass the SPF
alignment result into Exim in order to use the “dmarc_status”
condition. Is that possible?
from Fedora's libspf2 Package:
* Mon Oct 02 2023 Bojan Smojver <[email protected]> -
1.2.11-10.20210922git4915c308
- CVE-2023-42118
GENTOO announced a fix in January 2024: GLSA 202401-22
Severity: Normal
Title: libspf2: Multiple vulnerabilities
Date: January 15, 2024
Bugs: #807739
ID: 202401-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in libspf2, the worst of
which can lead to remote code execution.
Resolution
==========
All libspf2 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-filter/libspf2-1.2.11"
from MY POV that accouncement is more than irritating, but with libspf2
not maintained anymore, so there will be no 1.2.12 release and therefor
any patch will be inside the 1.2.11 tree.
@Devteam: in the long term it would smart to switch to a different solution.
best regards,
Cyborg
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
