Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#63812 - [opendmarc] CVE-2019-16378, upstream dead?

Attached to Project: Community Packages
Opened by Pascal Ernster (hardfalcon) - Tuesday, 17 September 2019, 21:01 GMT
Last edited by Morten Linderud (Foxboron) - Sunday, 02 May 2021, 13:15 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Sergej Pupykin (sergej)
Thore Bödecker (foxxx0)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


OpenDMARC development seems to be stalled since quite a while. The last commit in their git repo's master branch was in March 2017, and even in their development branch, the last commit was in November 2018.

On 2019-07-30, a pull request was submitted in which the author describes vulnerabilities in OpenDMARC which allow to effectively circumvent DMARC policies on MTAs which rely upon OpenDMARC for verification/policy enforcement:

Yet, to this day, there has been zero reaction from upstream. MITRE has assigned CVE-2019-16378 for the issue:

There's also an older pull request from 2019-07-03 which fixes "a few potential crashes":

Upstream has not reacted to this pull request either.

Since upstream appears to be dead, this package should probably be moved to AUR.
This task depends upon

Closed by  Morten Linderud (Foxboron)
Sunday, 02 May 2021, 13:15 GMT
Reason for closing:  Fixed
Comment by Caleb Maclennan (alerque) - Saturday, 01 May 2021, 18:28 GMT
This CVE has been fixed upstream and several releases have happened since. The current Arch package is out of date, but even the version that is there has this fix. This bug report can be closed as fixed.
Comment by loqs (loqs) - Saturday, 01 May 2021, 21:20 GMT
You can ask for the FS to be closed by using the request closure link.