Bug 2223351 (CVE-2022-48521) - CVE-2022-48521 opendkim: Authentication-Results fields are not removed correctly
Summary: CVE-2022-48521 opendkim: Authentication-Results fields are not removed correctly
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2022-48521
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2223270 2223352
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-17 12:51 UTC by Mauro Matteo Cascella
Modified: 2023-08-01 12:06 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-01 12:06:20 UTC
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-07-17 12:51:31 UTC 
An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x through 2.11.0-Beta2. OpenDKIM fails to keep track of ordinal numbers when removing fake Authentication-Results header fields, which allows a remote attacker to craft an e-mail message with a fake sender address such that programs that rely on Authentication-Results from OpenDKIM will treat the message as having a valid DKIM signature when in fact it has none.

Upstream issue:
https://github.com/trusteddomainproject/OpenDKIM/issues/148
Comment 1 Mauro Matteo Cascella 2023-07-17 12:52:42 UTC 
Created opendkim tracking bugs for this issue:

Affects: epel-all [bug 2223270]
Comment 2 Mauro Matteo Cascella 2023-07-17 12:53:26 UTC 
Created opendkim tracking bugs for this issue:

Affects: fedora-all [bug 2223352]
Comment 3 Product Security DevOps Team 2023-08-01 12:06:18 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Note You need to log in before you can comment on or make changes to this bug.