Vulnerability Note VU#183657
libspf2 DNS TXT record parsing buffer overflow
libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records.
libspf2 is a widely-deployed implementation of the Sender Policy Framework. According to RFC 4408:
An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. Loosely, the record partitions all hosts into permitted and not-permitted sets (though some hosts might fall into neither category).
This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on a system running libspf2.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|BlueCat Networks, Inc.||Affected||18 Sep 2008||30 Oct 2008|
|McAfee||Affected||16 Sep 2008||16 Oct 2008|
|Process Software||Affected||16 Sep 2008||16 Oct 2008|
|SecPoint||Affected||24 Sep 2008||16 Oct 2008|
|Bizanga||Not Affected||17 Sep 2008||16 Oct 2008|
|Cisco Systems, Inc.||Not Affected||16 Sep 2008||07 Nov 2008|
|Eland Systems||Not Affected||17 Sep 2008||16 Oct 2008|
|Extreme Networks||Not Affected||16 Sep 2008||30 Apr 2009|
|Force10 Networks, Inc.||Not Affected||16 Sep 2008||22 Jul 2011|
|MailFoundry||Not Affected||18 Sep 2008||23 Oct 2008|
|Openwall GNU/*/Linux||Not Affected||16 Sep 2008||16 Oct 2008|
|Proofpoint||Not Affected||18 Sep 2008||16 Oct 2008|
|Roaring Penguin Software Inc.||Not Affected||17 Sep 2008||16 Oct 2008|
|Securence||Not Affected||19 Sep 2008||16 Oct 2008|
|Sun Microsystems, Inc.||Not Affected||16 Sep 2008||16 Oct 2008|
CVSS Metrics (Learn More)
This issue was reported by Dan Kaminsky of Doxpara Research.
This document was written by Chris Taschner.
- CVE IDs: CVE-2008-2469
- Date Public: 21 Oct 2008
- Date First Published: 30 Oct 2008
- Date Last Updated: 22 Jul 2011
- Severity Metric: 9.00
- Document Revision: 23
If you have feedback, comments, or additional information about this vulnerability, please send us email.