Got this from security focus: Mutt-1.4.2 has just been released; this version fixes a buffer overflow that can be triggered by incoming messages. There are reports about spam that has actually triggered this problem and crashed mutt. It is recommended that users of mutt versions prior to 1.4.2 upgrade to this version, or apply the patch included below. Users of "unstable" mutt versions after 1.3.28 (including 1.5.*) do not need to upgrade, as this problem had been fixed in the unstable branch in February 2002; unfortunately, the fix was not backported before 1.4 was released. mutt-1.4.2 can be found at ftp://ftp.mutt.org/mutt/. Distribution files: MD5 checksum file name size 44fc379c317109f516894a7c3fd43cc9 diff-1.4.1i-1.4.2i.gz (23k) 6045b47cbba8170d6a9fdccc1aa817b9 mutt-1.4.2i.tar.gz (2.4M) Linux distributors are expected to release updated mutt packages shortly. Credits: The problem in the stable mutt code base was originally reported to Red Hat, and was brought to my attention by Mark Cox. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0078 to this issue. Regards, -- Thomas Roessler ? Personal soap box at <http://log.does-not-exist.org/>.
CCing security@g.o. This probably merits a GLSA to get anyone still on 1.4.1 to upgrade. Our current stable is in the 1.5.x branch for all platforms, but you never know who lingers.
Feel free to GLSA this if you want. This problem is fixed in the 1.5.x stream, of which 1.5.4-r1 is currently marked stable on all arches except mips (which doesn't have any version of mutt marked stable)
Looks like this has been taken care of. Closing.
Sounds like we don't need to do a GLSA for this one.
