CVE-2021-33912

描述

libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.

如何修補 CVE-2021-33912

要修補 CVE-2021-33912,請將受影響套件升級到下列已修補版本。

—升級至 1.2.11-r0 或更新版本
—升級至 1.2.10-7.1~deb11u1 或更新版本
—升級至 1.2.10-7+deb9u2 或更新版本

CVE-2021-33912 正在被利用嗎?

低 — EPSS 為 1.3%,目前沒有觀察到大規模利用活動。

受影響套件(3)

from 0, < 1.2.11-r0
from 0, < 1.2.10-7.1~deb11u1
from 0, < 1.2.10-7+deb9u2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

描述

如何修補 CVE-2021-33912

CVE-2021-33912 正在被利用嗎?

受影響套件(3)

CVSS 分數

參考連結(2)