Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 728294

Summary: <mail-client/mutt-1.14.3: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, grobian
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=728302
Whiteboard: B3 [glsa+]
Package list:
=mail-client/mutt-1.14.3
 Runtime testing required: ---
Bug Depends on: 728708    
Bug Blocks: 728300    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-14 22:09:16 UTC 
Description:
"This is an important security release fixing two issues.

The first is a possible IMAP man-in-the-middle attack.  No credentials 
are exposed, but could result in unintended emails being "saved" to an 
attacker's server.  The $ssl_starttls quadoption is now used to check 
for an unencrypted PREAUTH response from the server.

Thanks very much to Damian Poddebniak and Fabian Ising from the Münster 
University of Applied Sciences for reporting this issue, and their help 
in testing the fix.

The second fix is for a problem with GnuTLS certificate prompting. 
"Rejecting" an expired intermediate cert did not terminate the 
connection.  Thanks to @henk on IRC for reporting the issue."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-14 22:10:07 UTC 
@maintainer(s), please bump to 1.14.3.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-15 17:10:46 UTC 
(In reply to Sam James (sec padawan) from comment #0)
> Description:
> "This is an important security release fixing two issues.
> 
> The first is a possible IMAP man-in-the-middle attack.  No credentials 
> are exposed, but could result in unintended emails being "saved" to an 
> attacker's server.  The $ssl_starttls quadoption is now used to check 
> for an unencrypted PREAUTH response from the server.

This was assigned CVE-2020-14093.
Comment 3 Larry the Git Cow gentoo-dev 2020-06-15 19:49:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cdea241a6c518a14f1fc0f20dc2562bf3621ddf

commit 6cdea241a6c518a14f1fc0f20dc2562bf3621ddf
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-06-15 19:48:18 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-06-15 19:49:00 +0000

    mail-client/mutt-1.14.3: version bump fixing security issues
    
    Bug: https://bugs.gentoo.org/728294
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest                                      | 4 ++--
 mail-client/mutt/{mutt-1.14.0-r1.ebuild => mutt-1.14.3.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-15 19:51:46 UTC 
@maintainer(s), let us know when ready for stabilisation, thanks for quick bump
Comment 5 Fabian Groffen gentoo-dev 2020-06-15 19:54:07 UTC 
1.14.3 is basically 1.14.2 + security fixes.

I'm using 1.14.2 for a while without issues, so basically 1.14.3 is ready whenever you are.

Thanks!
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-15 22:16:50 UTC 
(In reply to Fabian Groffen from comment #5)
> 1.14.3 is basically 1.14.2 + security fixes.
> 
> I'm using 1.14.2 for a while without issues, so basically 1.14.3 is ready
> whenever you are.
> 
> Thanks!

Thanks! Let's go for it
Comment 7 Rolf Eike Beer archtester 2020-06-16 16:43:36 UTC 
sparc stable
Comment 8 Rolf Eike Beer archtester 2020-06-17 21:14:13 UTC 
hppa stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 12:43:54 UTC 
We'll stabilise 1.14.4 instead in bug 728708.
Comment 10 NATTkA bot gentoo-dev Security 2020-06-19 12:48:28 UTC 
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 11 NATTkA bot gentoo-dev Security 2020-06-25 09:12:32 UTC 
Unable to check for sanity:

> no match for package: =mail-client/mutt-1.14.3
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:43:02 UTC 
This issue was resolved and addressed in
 GLSA 202007-57 at https://security.gentoo.org/glsa/202007-57
by GLSA coordinator Sam James (sam_c).