CVE-2021-20314 — libspf2 - security update

Description

Stack buffer overflow in libspf2 versions below 1.2.11 when processing certain SPF macros can lead to Denial of service and potentially code execution via malicious crafted SPF explanation messages.

How to fix CVE-2021-20314

To remediate CVE-2021-20314, upgrade the affected package to a fixed version below.

Alpine/libspf2—upgrade to 1.2.10-r5 or later
—upgrade to 1.2.10-7.1~deb11u1 or later
—upgrade to 1.2.10-7+deb9u1 or later
—upgrade to 1.2.10-7.1~deb10u1 or later

Is CVE-2021-20314 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.2.10-r5
from 0, < 1.2.10-7.1~deb11u1
from 0, < 1.2.10-7+deb9u1
from 0, < 1.2.10-7.1~deb10u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-20314
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-20314