[opendmarc-users] unverified - OpenDMARC Bug

Scott Kitterman sklist at kitterman.com
Wed Sep 18 22:59:43 PDT 2019


On Wednesday, September 11, 2019 12:50:27 PM EDT A. Schulze wrote:
> Hello,
> 
> Golem, a german online IT magazin, reported about a Bug in OpenDMARC.
> https://www.golem.de/news/opendmarc-aktiv-ausgenutzte-dmarc-sicherheitslueck
> e-ohne-fix-1909-143798.html
> 
> Protonmail found that bug actively used
> https://protonmail.com/blog/bellingcat-cyberattack-phishing/
> 
> Also there is a proposed fix available as pull request on GitHub
> https://github.com/trusteddomainproject/OpenDMARC/pull/48
> 
> This message is intended only to relay that info unfiltered to the list.

In case anyone isn't following the pull-reques.  I've replicated what I 
believe the attack to be and verified that the proposed change addresses it.  
CVE-2019-16378 has been assigned to this issue.

Scott K




More information about the opendmarc-users mailing list