Re: OpenDMARC buffer overflows

[Thomas Ward <teward () thomas-ward net>]

On 9/17/19 2:20 PM, Alyssa Ross wrote:
> Hanno Böck <hanno () hboeck de> writes:
>
> > In light of the recent OpenDMARC issue I had a look at their Github PR
> > tracker. This one
> > https://github.com/trusteddomainproject/OpenDMARC/pull/45
> > caught my attention.
> So a signature bypass, a buffer overflow, and no activity in years
> despite vulnerabilities having been reported months ago?
>
> Certainly doesn't look like software that people should be relying on
> for security...

... which is why I think distros are distro-patching it, like Scott 
Kitterman is doing for Debian.

I have a host of other detections in line with OpenDMARC for detecting 
invalid message structure, though, but it's definitely concerning to see 
something like this - one of the few DMARC checkers that actually exists 
in the OSS world - to be so behind from a Security perspective...