"Hello Mutt Users, I've just released version 2.0.2. Instructions for downloading are available at <http://www.mutt.org/download.html>, or the tarball can be directly downloaded from <http://ftp.mutt.org/pub/mutt/>. Please take the time to verify the signature file against my public key. This is an important bug fix release, addressing CVE-2020-28896. Mutt had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS. Thanks to Gabriel Salles-Loustau for discovering the problem, and including detailed information and a reproducing example in his report! Also thanks to Richard Russon for coordinating the release with Mutt. -Kevin"
Please bump to 2.0.2. Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a444dde143f9c29e5331888ddc10d0139827666f commit a444dde143f9c29e5331888ddc10d0139827666f Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-11-20 18:59:24 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-11-20 18:59:24 +0000 mail-client/mutt-2.0.2: bump for CVE-2020-28896 Bug: https://bugs.gentoo.org/755866 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 4 ++-- mail-client/mutt/{mutt-2.0.0.ebuild => mutt-2.0.2.ebuild} | 3 --- 2 files changed, 2 insertions(+), 5 deletions(-)
Let us know when ready to stable, thank you for the quick bump!
mutt-2.0.2 is effectively equal to 2.0.0 with addition of a small type-fix (not affecting Linux) and the small bugfix for the CVE. mutt-2.0.0 was introduced Nov 9. Considering 2.0.2 as a behaviour controlled close to indentical to 2.0.0, normal stabilisation rules would allow earliest stabilisation Dec 9th.
(In reply to Fabian Groffen from comment #4) > mutt-2.0.2 is effectively equal to 2.0.0 with addition of a small type-fix > (not affecting Linux) and the small bugfix for the CVE. mutt-2.0.0 was > introduced Nov 9. Considering 2.0.2 as a behaviour controlled close to > indentical to 2.0.0, normal stabilisation rules would allow earliest > stabilisation Dec 9th. We don't need to apply the normal rules for security bugs, it's usually ASAP, provided you're satisfied it works. Given this has just come off the back of 2.0.0, we'll give it a few days, see if any bugs pop up, and go from there?
I've been using it non-stop since it's introduction, I think it's OK for stabilisation, but let's give it the weekend to see if anything pops up.
(In reply to Fabian Groffen from comment #6) > I've been using it non-stop since it's introduction, I think it's OK for > stabilisation, but let's give it the weekend to see if anything pops up. ACK, thanks Fabian!
Ready to roll, I assume? :)
yes, go ahead
x86 stable
amd64 stable
ppc stable
sparc stable
ppc64 stable
arm done
hppa stable
All arches done, thanks ATs! Maintainer, please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=485d5cdad8ecfbfafb6dbfa54a9e059211a2e747 commit 485d5cdad8ecfbfafb6dbfa54a9e059211a2e747 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-11-27 08:00:26 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-11-27 08:00:26 +0000 mail-client/mutt: cleanup old Bug: https://bugs.gentoo.org/755866 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 6 - .../mutt-1.14.4-no-imap-preauth-with-tunnel.patch | 30 --- mail-client/mutt/mutt-1.14.4-r1.ebuild | 273 --------------------- mail-client/mutt/mutt-1.14.5.ebuild | 265 -------------------- mail-client/mutt/mutt-1.14.7.ebuild | 265 -------------------- 5 files changed, 839 deletions(-)
Obsoleted by bug 765790.
This issue was resolved and addressed in GLSA 202101-32 at https://security.gentoo.org/glsa/202101-32 by GLSA coordinator Sam James (sam_c).
