CVE-2022-48521

Name	CVE-2022-48521
Description	An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x through 2.11.0-Beta2. It fails to keep track of ordinal numbers when removing fake Authentication-Results header fields, which allows a remote attacker to craft an e-mail message with a fake sender address such that programs that rely on Authentication-Results from OpenDKIM will treat the message as having a valid DKIM signature when in fact it has none.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3680-1, ELA-1017-1
Debian Bugs	1041107

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
opendkim (PTS)	jessie	2.9.2-2+deb8u1	vulnerable
	stretch (lts), stretch	2.11.0~alpha-10+deb9u2	fixed
	buster (security), buster, buster (lts)	2.11.0~alpha-12+deb10u1	fixed
	bullseye	2.11.0~beta2-4+deb11u1	fixed
	bookworm	2.11.0~beta2-8+deb12u1	fixed
	sid, trixie	2.11.0~beta2-9.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
opendkim	source	jessie	(unfixed)	end-of-life
opendkim	source	stretch	2.11.0~alpha-10+deb9u2		ELA-1017-1
opendkim	source	buster	2.11.0~alpha-12+deb10u1		DLA-3680-1
opendkim	source	bullseye	2.11.0~beta2-4+deb11u1
opendkim	source	bookworm	2.11.0~beta2-8+deb12u1
opendkim	source	(unstable)	2.11.0~beta2-9			1041107

https://github.com/trusteddomainproject/OpenDKIM/issues/148