vulnerability

Ubuntu: (Multiple Advisories) (CVE-2021-33913): Libspf2 vulnerabilities

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:M/Au:N/C:C/I:C/A:C)	Jan 19, 2022	Jan 16, 2024	Jan 23, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:C/I:C/A:C)

Published

Jan 19, 2022

Added

Jan 16, 2024

Modified

Jan 23, 2025

Description

libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPF_record_expand_data in spf_expand.c. The amount of overflowed data depends on the relationship between the length of an entire domain name and the length of its leftmost label. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.

Solution(s)

ubuntu-pro-upgrade-libmail-spf-xs-perlubuntu-pro-upgrade-libspf2-2ubuntu-pro-upgrade-libspf2-devubuntu-pro-upgrade-spfquery

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today