[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] OpenDMARC buffer overflows
From:       Thomas Ward <teward () thomas-ward ! net>
Date:       2019-09-17 18:57:34
Message-ID: 5f571403-9a7f-2967-737d-e8b754c288d8 () thomas-ward ! net
[Download RAW message or body]


On 9/17/19 2:20 PM, Alyssa Ross wrote:
> Hanno Böck <hanno@hboeck.de> writes:
>
>> In light of the recent OpenDMARC issue I had a look at their Github PR
>> tracker. This one
>> https://github.com/trusteddomainproject/OpenDMARC/pull/45
>> caught my attention.
> So a signature bypass, a buffer overflow, and no activity in years
> despite vulnerabilities having been reported months ago?
>
> Certainly doesn't look like software that people should be relying on
> for security...

... which is why I think distros are distro-patching it, like Scott 
Kitterman is doing for Debian.

I have a host of other detections in line with OpenDMARC for detecting 
invalid message structure, though, but it's definitely concerning to see 
something like this - one of the few DMARC checkers that actually exists 
in the OSS world - to be so behind from a Security perspective...



[prev in list] [next in list] [prev in thread] [next in thread]