From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7249A15838C for ; Mon, 15 Jan 2024 15:57:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 96700E2B9E; Mon, 15 Jan 2024 15:56:56 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4FC05E2B8E for ; Mon, 15 Jan 2024 15:56:37 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 8D55F34327A for ; Mon, 15 Jan 2024 15:56:36 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id 4DDC7A81AE for ; Mon, 15 Jan 2024 15:56:36 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202401-22 ] libspf2: Multiple vulnerabilities Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============5649425263835178379==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Mon, 15 Jan 2024 15:56:36 -0000 Message-ID: <170533419631.7.9220824112110555298@4a99fbfff9eb> X-Archives-Salt: ff65151c-1ace-48db-bfa3-82106f79dbe5 X-Archives-Hash: ae6bca3802c3e5f3c4327842309e5b85 --===============5649425263835178379== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202401-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: libspf2: Multiple vulnerabilities Date: January 15, 2024 Bugs: #807739 ID: 202401-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in libspf2, the worst of which can lead to remote code execution. Background ========== libspf2 is a library that implements the Sender Policy Framework, allowing mail transfer agents to make sure that an email is authorized by the domain name that it is coming from. Affected packages ================= Package Vulnerable Unaffected ------------------- ------------ ------------ mail-filter/libspf2 < 1.2.11 >= 1.2.11 Description =========== Multiple vulnerabilities have been discovered in libspf2. Please review the CVE identifiers referenced below for details. Impact ====== Various buffer overflows have been identified that can lead to denial of service and possibly arbitrary code execution. Workaround ========== There is no known workaround at this time. Resolution ========== All libspf2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=mail-filter/libspf2-1.2.11" References ========== [ 1 ] CVE-2021-20314 https://nvd.nist.gov/vuln/detail/CVE-2021-20314 [ 2 ] CVE-2021-33912 https://nvd.nist.gov/vuln/detail/CVE-2021-33912 [ 3 ] CVE-2021-33913 https://nvd.nist.gov/vuln/detail/CVE-2021-33913 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202401-22 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============5649425263835178379== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmWlVbQACgkQFMQkOaVy +9n99w/9FYGgQfcrOAzkLuEQDGVfrqTdUkJyqKkBsoOe5IcZJh+Wli2oCmLdafF7 3l3joKahfYtORMkislsHdj41KiYUf/qYDRYLm/bUlbmR8XmWKuvsvlBCYY+T6u9B XEK2igEHsZi6o4Nr/cR6EMHjXpZ8n/QDR0MYGjv/eTSk5vME8YurItGeW6+3Hnok 3hXEEUGjebaVuuUUBsGrtOqmBaB9gdDNYECwtOZi6Dkit5Zw4XLan/UFdBVa/Efq nKrGN3z9V7r5f0UoGwWs9+64HrIg3+4pI8Br+rW8xNLAtHhUJhzN0mlcxIOAXFus PGTsrWJ2zUXXEclEAipB1ep31GaUd+7uJXNcfOmIiKkqAhJiSqEEM25GCYEB79Ha 2QelXoUD/LjyqI30/ZNF3ASfLDfqfTM3TssLbR8Yymxv9argaJZekkoioBtKiMs8 IH7x5L6SnQQkjmF2zjfUPIme+9nWc/2V0yjP8JJ9nZD1Im+jWsgoxsuMu2QF02gX IcaYcg8OGe+/8L+I/NUdMv/DS6BxcAd3kPOZvNKpCfa7qsotSIZXLmp3Dh00RvHa fmVMeMZibovFOcUEpZPzo6bfvjV8U9W4po4A41LB+b7zNHArNq/LQ5ywixQC9jLs ElivcH/ENceO1SRN8qNWeXloo9qoHGxDbsaTf3D1e+fy9FpVYs8= =bkMT -----END PGP SIGNATURE----- --===============5649425263835178379==--