CVE-2022-48521

NameCVE-2022-48521
DescriptionAn issue was discovered in OpenDKIM through 2.10.3, and 2.11.x through 2.11.0-Beta2. It fails to keep track of ordinal numbers when removing fake Authentication-Results header fields, which allows a remote attacker to craft an e-mail message with a fake sender address such that programs that rely on Authentication-Results from OpenDKIM will treat the message as having a valid DKIM signature when in fact it has none.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3680-1
Debian Bugs1041107

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
opendkim (PTS)bullseye2.11.0~beta2-4+deb11u1fixed
bookworm2.11.0~beta2-8+deb12u1fixed
sid, trixie2.11.0~beta2-9.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opendkimsourcebuster2.11.0~alpha-12+deb10u1DLA-3680-1
opendkimsourcebullseye2.11.0~beta2-4+deb11u1
opendkimsourcebookworm2.11.0~beta2-8+deb12u1
opendkimsource(unstable)2.11.0~beta2-91041107

Notes

https://github.com/trusteddomainproject/OpenDKIM/issues/148
Search for package or bug name: Reporting problems