+++ This bug was initially created as a clone of Bug #29361 +++ An advisory has been issued today (August 11): https://www.openwall.com/lists/oss-security/2021/08/11/6 The issue is fixed in Bug 29361, but 1.2.11 also fixes other security-related issues, so it should be updated. We may need to pull a git snapshot. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Fedora has issued an advisory for this today (September 26): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMSFT2NJDZ7PATRZSQPAOGSE7JD6ELOB/
Suggested advisory: ======================== The updated packages fix security vulnerabilities. References: https://www.openwall.com/lists/oss-security/2021/08/11/6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CMSFT2NJDZ7PATRZSQPAOGSE7JD6ELOB/ ======================== Updated packages in core/updates_testing: ======================== spf2-utils-1.2.11-0.git20210609.1.mga8 lib(64)spf2_2-1.2.11-0.git20210609.1.mga8 lib(64)spf2-devel-1.2.11-0.git20210609.1.mga8 from SRPM: libspf2-1.2.11-0.git20210609.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroSource RPM: libspf2-1.2.10-6.mga9.src.rpm => libspf2-1.2.10-5.1.mga8.src.rpmAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDVersion: Cauldron => 8
mga8, x64 No man pages for spf2 or libspf2. The three packages updated cleanly with qarepo. $ urpmq -i lib64spf2_2 $MIRRORLIST: media/core/release/media_info/20210224-165404-info.xml.lzma Name : lib64spf2_2 Version : 1.2.10 Release : 5.mga8 Group : System/Libraries Size : 170253 Architecture: x86_64 Source RPM : libspf2-1.2.10-5.mga8.src.rpm URL : http://www.libspf2.org/ Summary : Implementation of the SPF specification Description : libspf2 is an implementation of the SPF (Sender Policy Framework) specification as found at: http://www.ietf.org/internet-drafts/draft-mengwong-spf-00.txt SPF allows email systems to check SPF DNS records and make sure that an email is authorized by the administrator of the domain name that it is coming from. This prevents email forgery, commonly .... The text document specified does not exist at the URL given and a web search turns up nothing for spf-000.txt and there is no information in /usr/share/doc so who knows what an SPF record is and where they are stored? There is a PoC for the issue cited but it implies familiarity with spf2 and SPF records. CVE-2021-20314, Redhat bugs 199307{1,2} <quote> To reproduce, set the SPF record of a domain you control like listed below: example.com. 300 IN TXT "v=spf1 exp=exp.example.com" exp=exp.example.com. 300 IN TXT "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" Then trigger SPF processing in libspf2, ie. via the command line `spfquery` tool. # spfquery --sender someone () example com -ip 1.2.3.4 *** stack smashing detected ***: terminated Aborted (core dumped) </quote> Note that spfquery is now spfquery2. Other utilities are spfd2, spf_example2 and spftest2. $ spfquery2 -help <That works> .... Examples: spfquery -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld spfquery -f test_data echo "127.0.0.1 myname@mydomain.com helohost.com" | spfquery -f - $ spfquery2 -ip=11.22.33.44 -sender=user@aol.com -helo=spammer.tld softfail Please see http://www.openspf.org/Why?id=user%40aol.com&ip=11.22.33.44&receiver=spfquery : Reason: mechanism spfquery: transitioning domain of aol.com does not designate 11.22.33.44 as permitted sender Received-SPF: softfail (spfquery: transitioning domain of aol.com does not designate 11.22.33.44 as permitted sender) client-ip=11.22.33.44; envelope-from=user@aol.com; helo=spammer.tld; <That is OK probably> $ echo "127.0.0.1 lcl@localhost.localdomain mageia.com" |spfquery2 -f - pass spfquery: localhost is always allowed. Received-SPF: pass (spfquery: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=lcl@localhost.localdomain; helo=mageia.com; <That looks OK as well> Apart from self the only other application which requires this is smtp-gated. Not installed and it stays that way. Giving this a tentative OK based on clean install and basic operations.
CC: (none) => tarazed25Whiteboard: (none) => MGA8-64-OK
Found a link. https://dmarcian.com/create-spf-record/ An exercise for a rainy day.
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0454.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
These issues are CVE-2021-33912, CVE-2021-33913: https://www.debian.org/lts/security/2022/dla-2890
Summary: libspf2 new security issues fixed upstream in 1.2.11 => libspf2 new security issues fixed upstream in 1.2.11 (CVE-2021-33912, CVE-2021-33913)