From 2c8b2c0f14bc84b14571aab049b880c625f88893 Mon Sep 17 00:00:00 2001 From: Sean Whalen <44679+seanthegeek@users.noreply.github.com> Date: Sun, 24 May 2026 12:57:50 -0400 Subject: [PATCH] Bump mailsuite to >=2.2.1 (release 10.0.2) (#783) * Bump mailsuite to >=2.2.1; release 10.0.2 mailsuite 2.2.1 raises the transitive mail-parser floor to >=4.2.1, which stops mail-parser from returning a phantom ('', '') entry for absent address headers (verified against samples/failure/* with mail-parser 4.2.1: cc/bcc now parse to [] instead of [{address: ""}]). parsedmarc reads the mail-parser object directly via its own parse_email(), so this previously caused an empty {address: ""} Cc/Bcc entry to be indexed for every failure-report sample in Elasticsearch/OpenSearch and emitted in JSON/S3/Kafka output. The Reply-To-always-empty behavior in parsedmarc's own parse_email() (a hyphen-vs-underscore key mismatch, not an upstream issue) and the failure dashboards are out of scope here and tracked separately. Co-Authored-By: Claude Opus 4.7 (1M context) * docs: note CVE-2023-27043 hardening from mail-parser 4.2.1 in 10.0.2 Co-Authored-By: Claude Opus 4.7 (1M context) --------- Co-authored-by: Claude Opus 4.7 (1M context) --- CHANGELOG.md | 10 ++++++++++ parsedmarc/constants.py | 2 +- pyproject.toml | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 81fb071..ca68fc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Changelog +## 10.0.2 + +### Changes + +- Bump the `mailsuite` requirement to `>=2.2.1`, which raises the transitive `mail-parser` floor to `>=4.2.1`. This pulls in two upstream fixes: + - `mail-parser` 4.2.1 stops returning a phantom `('', '')` entry for absent address headers, so parsedmarc no longer indexes an empty `Cc`/`Bcc` address (`{address: ""}`) for every DMARC failure-report sample in Elasticsearch/OpenSearch — and no longer emits it in JSON, S3, or Kafka output. + - `mail-parser` 4.2.1 also adopts the stricter address parsing that hardens against [CVE-2023-27043](https://nvd.nist.gov/vuln/detail/CVE-2023-27043) — a Python `email`-module flaw where an RFC 2822 header containing a special character has the wrong portion identified as the addr-spec, which can let a crafted address bypass email-domain verification. + + (The `Reply-To` parsing for failure samples and the failure dashboards are tracked separately.) + ## 10.0.1 ### Changes diff --git a/parsedmarc/constants.py b/parsedmarc/constants.py index dda7dba..48e1b17 100644 --- a/parsedmarc/constants.py +++ b/parsedmarc/constants.py @@ -1,4 +1,4 @@ -__version__ = "10.0.1" +__version__ = "10.0.2" USER_AGENT = f"parsedmarc/{__version__}" diff --git a/pyproject.toml b/pyproject.toml index 7e028f7..863873a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -41,7 +41,7 @@ dependencies = [ "expiringdict>=1.1.4", "kafka-python-ng>=2.2.2", "lxml>=4.4.0", - "mailsuite[gmail,msgraph]>=2.2.0", + "mailsuite[gmail,msgraph]>=2.2.1", "maxminddb>=2.0.0", "opensearch-py>=2.4.2,<=4.0.0", "publicsuffixlist>=0.10.0",