FS#63812 - [opendmarc] CVE-2019-16378, upstream dead?
Attached to Project:
Community Packages
Opened by Pascal Ernster (hardfalcon) - Tuesday, 17 September 2019, 21:01 GMT
Last edited by Morten Linderud (Foxboron) - Sunday, 02 May 2021, 13:15 GMT
Opened by Pascal Ernster (hardfalcon) - Tuesday, 17 September 2019, 21:01 GMT
Last edited by Morten Linderud (Foxboron) - Sunday, 02 May 2021, 13:15 GMT
|
Details
OpenDMARC development seems to be stalled since quite a
while. The last commit in their git repo's master branch was
in March 2017, and even in their development branch, the
last commit was in November 2018.
On 2019-07-30, a pull request was submitted in which the author describes vulnerabilities in OpenDMARC which allow to effectively circumvent DMARC policies on MTAs which rely upon OpenDMARC for verification/policy enforcement: https://github.com/trusteddomainproject/OpenDMARC/pull/48 Yet, to this day, there has been zero reaction from upstream. MITRE has assigned CVE-2019-16378 for the issue: https://nvd.nist.gov/vuln/detail/CVE-2019-16378 There's also an older pull request from 2019-07-03 which fixes "a few potential crashes": https://github.com/trusteddomainproject/OpenDMARC/pull/45 Upstream has not reacted to this pull request either. Since upstream appears to be dead, this package should probably be moved to AUR. |
This task depends upon
Comment by
Caleb Maclennan (alerque) -
Saturday, 01 May 2021, 18:28 GMT
Comment by loqs (loqs) - Saturday,
01 May 2021, 21:20 GMT
This CVE has been fixed upstream and several releases have
happened since. The current Arch package is out of date, but even
the version that is there has this fix. This bug report can be
closed as fixed.
You can ask for the FS to be closed by using the request closure
link.