Summary: | <mail-client/mutt-1.14.4: MITM in STARTTLS for IMAP/POP3/SMTP (CVE-2020-14954) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | ajak, grobian |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200615/000023.html | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=733684 https://bugs.gentoo.org/show_bug.cgi?id=728302 |
||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
=mail-client/mutt-1.14.4-r1
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 807352, 728294 |
Description
Sam James
![]() ![]() ![]() ![]() CVE pending. @maintainer(s), please bump to 1.14.4. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=853490aded8a597f03bdd24b6f56cfffbfeecb97 commit 853490aded8a597f03bdd24b6f56cfffbfeecb97 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-06-19 07:00:59 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-06-19 07:00:59 +0000 mail-client/mutt-1.14.4: another security bump Bug: https://bugs.gentoo.org/728708 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 2 + mail-client/mutt/mutt-1.14.4.ebuild | 270 ++++++++++++++++++++++++++++++++++++ 2 files changed, 272 insertions(+) We alright to stable it now given this is all that changed? Hopefully this is the last one for a bit.. yup, please cancel the 1.14.3 one, and focus on this one. (In reply to Fabian Groffen from comment #4) > yup, please cancel the 1.14.3 one, and focus on this one. Thanks! Done x86 stable sparc stable Hold stabilization. @ maintainer: A regression was reported, see http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20200615/001738.html. Just copy mutt-1.14.4 ebuild to new revision and *continue* stabilization afterwards. No need to restart for sparc/x86. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a760a283613c47ac37b31c6394f89a431e823ca8 commit a760a283613c47ac37b31c6394f89a431e823ca8 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-06-21 07:44:41 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-06-21 07:44:41 +0000 mail-client/mutt-1.14.4-r1: yet another security bump Bug: https://bugs.gentoo.org/728708 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 2 -- .../mutt-1.14.4-no-imap-preauth-with-tunnel.patch | 30 ++++++++++++++++++++++ .../{mutt-1.14.2.ebuild => mutt-1.14.4-r1.ebuild} | 3 +++ 3 files changed, 33 insertions(+), 2 deletions(-) Unable to check for sanity:
> no match for package: =mail-client/mutt-1.14.4
Resetting sanity check; keywords are not fully specified and arches are not CC-ed. Assigned CVE-2020-14954. arm stable ppc stable ppc64 stable hppa stable amd64 stable. Maintainer(s), please cleanup. Security, please vote. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cbaf7905f650a704ee884cb247d0d43b06b540a commit 6cbaf7905f650a704ee884cb247d0d43b06b540a Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-06-25 09:08:13 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-06-25 09:08:13 +0000 mail-client/mutt: cleanup vulnerable versions Bug: https://bugs.gentoo.org/728708 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 4 - mail-client/mutt/mutt-1.13.5.ebuild | 268 ----------------------------------- mail-client/mutt/mutt-1.14.3.ebuild | 270 ------------------------------------ 3 files changed, 542 deletions(-) Thanks! GLSA vote: yes This issue was resolved and addressed in GLSA 202007-57 at https://security.gentoo.org/glsa/202007-57 by GLSA coordinator Sam James (sam_c). |