Please see https://seclists.org/oss-sec/2021/q3/94 Stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of service and potentially code execution via malicious crafted SPF explanation messages. CVE-2021-20314 has been assigned to this issue. An updated version of libspf2 (1.2.11) which also fixes other security related issues is available from github (https://github.com/shevek/libspf2). The libspf2 website (https://www.libspf2.org/download.html) and latest release there is NOT UPDATED YET.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=97deffc5b76fc61eeef40559aa82d7999c698288 commit 97deffc5b76fc61eeef40559aa82d7999c698288 Author: Po-Chuan Hsieh <sunpoet@FreeBSD.org> AuthorDate: 2022-05-13 11:37:10 +0000 Commit: Po-Chuan Hsieh <sunpoet@FreeBSD.org> CommitDate: 2022-05-13 11:40:16 +0000 mail/libspf2: Update to 1.2.11 - Update MASTER_SITES Changes: https://github.com/shevek/libspf2/commits/master Security: CVE-2021-20314 PR: 259938 Reported by: Dmitriy <supportme@ukr.net> mail/libspf2/Makefile | 11 ++++++----- mail/libspf2/distinfo | 5 +++-- 2 files changed, 9 insertions(+), 7 deletions(-)
A commit in branch 2022Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3c0e83f02f0c1f84b234ee52cdcc68f36fed301a commit 3c0e83f02f0c1f84b234ee52cdcc68f36fed301a Author: Po-Chuan Hsieh <sunpoet@FreeBSD.org> AuthorDate: 2022-05-13 11:37:10 +0000 Commit: Po-Chuan Hsieh <sunpoet@FreeBSD.org> CommitDate: 2022-05-13 11:57:19 +0000 mail/libspf2: Update to 1.2.11 - Update MASTER_SITES Changes: https://github.com/shevek/libspf2/commits/master Security: CVE-2021-20314 PR: 259938 Reported by: Dmitriy <supportme@ukr.net> (cherry picked from commit 97deffc5b76fc61eeef40559aa82d7999c698288) mail/libspf2/Makefile | 11 ++++++----- mail/libspf2/distinfo | 5 +++-- 2 files changed, 9 insertions(+), 7 deletions(-)
Committed. Thanks!