Description: "This is an important security release fixing a possible machine-in-the-middle response injection attack when using STARTTLS with IMAP, POP3, and SMTP. (For packagers, I've requested a CVE and will update the website when I have the number)."
CVE pending. @maintainer(s), please bump to 1.14.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=853490aded8a597f03bdd24b6f56cfffbfeecb97 commit 853490aded8a597f03bdd24b6f56cfffbfeecb97 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-06-19 07:00:59 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-06-19 07:00:59 +0000 mail-client/mutt-1.14.4: another security bump Bug: https://bugs.gentoo.org/728708 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 2 + mail-client/mutt/mutt-1.14.4.ebuild | 270 ++++++++++++++++++++++++++++++++++++ 2 files changed, 272 insertions(+)
We alright to stable it now given this is all that changed? Hopefully this is the last one for a bit..
yup, please cancel the 1.14.3 one, and focus on this one.
(In reply to Fabian Groffen from comment #4) > yup, please cancel the 1.14.3 one, and focus on this one. Thanks! Done
x86 stable
sparc stable
Hold stabilization. @ maintainer: A regression was reported, see http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20200615/001738.html. Just copy mutt-1.14.4 ebuild to new revision and *continue* stabilization afterwards. No need to restart for sparc/x86.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a760a283613c47ac37b31c6394f89a431e823ca8 commit a760a283613c47ac37b31c6394f89a431e823ca8 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-06-21 07:44:41 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-06-21 07:44:41 +0000 mail-client/mutt-1.14.4-r1: yet another security bump Bug: https://bugs.gentoo.org/728708 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 2 -- .../mutt-1.14.4-no-imap-preauth-with-tunnel.patch | 30 ++++++++++++++++++++++ .../{mutt-1.14.2.ebuild => mutt-1.14.4-r1.ebuild} | 3 +++ 3 files changed, 33 insertions(+), 2 deletions(-)
Unable to check for sanity: > no match for package: =mail-client/mutt-1.14.4
Assigned CVE-2020-14954.
arm stable
ppc stable
ppc64 stable
hppa stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cbaf7905f650a704ee884cb247d0d43b06b540a commit 6cbaf7905f650a704ee884cb247d0d43b06b540a Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-06-25 09:08:13 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-06-25 09:08:13 +0000 mail-client/mutt: cleanup vulnerable versions Bug: https://bugs.gentoo.org/728708 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 4 - mail-client/mutt/mutt-1.13.5.ebuild | 268 ----------------------------------- mail-client/mutt/mutt-1.14.3.ebuild | 270 ------------------------------------ 3 files changed, 542 deletions(-)
Thanks!
GLSA vote: yes
This issue was resolved and addressed in GLSA 202007-57 at https://security.gentoo.org/glsa/202007-57 by GLSA coordinator Sam James (sam_c).
