Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 755833

Summary: <mail-client/neomutt-20201120: May not detect failed handshake (CVE-2020-28896)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: nicolasbock
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/neomutt/neomutt/releases/tag/20201120
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 755863    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-20 16:27:54 UTC
"In addition to the usual share of bug fixes and enhancements, this release
fixes a security vulnerability whereas an early error in communicating with
an IMAP server was not properly detected as fatal, resulting in a potential
for sensitive information (user, pass) being sent over an untrusted channel."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-20 16:28:17 UTC
Please bump to 2020-11-20, thanks!
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-22 22:27:49 UTC
Bumped in ff96f46db13467f8519afe3cd84c07f1e1a9940f, thanks.

Is it ready to stable?
Comment 3 Nicolas Bock gentoo-dev 2020-11-23 14:48:08 UTC
Hi Sam,

It's running fine for me.

Best,

Nick
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-27 16:47:03 UTC
20201127 is released, it fixes a regression in 20201120. Probably a better candidate for stabilization.
Comment 5 Nicolas Bock gentoo-dev 2020-11-29 14:08:10 UTC
I have added neomutt-20201127 to tree. We can close this bug.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-30 01:15:56 UTC
(In reply to Nicolas Bock from comment #5)
> I have added neomutt-20201127 to tree. We can close this bug.

We can once the fixed version is stabled, we'll do that now?
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-30 01:16:15 UTC
(In reply to Nicolas Bock from comment #3)
> Hi Sam,
> 
> It's running fine for me.
> 
> Best,
> 
> Nick

(Also, sorry, I missed this!)
Comment 8 Nicolas Bock gentoo-dev 2020-11-30 16:50:31 UTC
(In reply to Sam James from comment #7)
> (In reply to Nicolas Bock from comment #3)
> > Hi Sam,
> > 
> > It's running fine for me.
> > 
> > Best,
> > 
> > Nick
> 
> (Also, sorry, I missed this!)

No worries :)
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-01 12:10:10 UTC
amd64 done
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-02 03:08:00 UTC
x86 stable
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-02 16:17:13 UTC
Please cleanup
Comment 12 Nicolas Bock gentoo-dev 2020-12-02 22:30:38 UTC
Hi John,

when you say cleanup, what do you mean?

Thanks!

Nick
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-02 22:43:42 UTC
(In reply to Nicolas Bock from comment #12)
> Hi John,
> 
> when you say cleanup, what do you mean?
> 
> Thanks!
> 
> Nick

Hello! When a package is stabilized to fix a security vulnerability, we generally ask the maintainer to drop ("cleanup") the vulnerable package versions so that users cannot accidentally install a vulnerable version of the package. In this case please cleanup <neomutt-20201127.
Comment 14 Nicolas Bock gentoo-dev 2020-12-03 13:52:13 UTC
Hi John,

Thanks for the clarification. Will do!

Best,

Nick
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 13:53:04 UTC
(In reply to Nicolas Bock from comment #14)
> Hi John,
> 
> Thanks for the clarification. Will do!
> 
> Best,
> 
> Nick

It’s one of those things where we get caught up in the jargon!
Comment 16 Larry the Git Cow gentoo-dev 2020-12-03 15:26:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a02f96d25538695778dd30af5664166caec386b

commit 3a02f96d25538695778dd30af5664166caec386b
Author:     Nicolas Bock <nicolasbock@gentoo.org>
AuthorDate: 2020-12-03 15:25:19 +0000
Commit:     Nicolas Bock <nicolasbock@gentoo.org>
CommitDate: 2020-12-03 15:26:13 +0000

    mail-client/neomutt: Clean up of older ebuilds
    
    Bug: https://bugs.gentoo.org/755833
    Signed-off-by: Nicolas Bock <nicolasbock@gentoo.org>

 mail-client/neomutt/Manifest                   |   4 -
 mail-client/neomutt/neomutt-20200626-r1.ebuild | 149 -------------------------
 mail-client/neomutt/neomutt-20200626.ebuild    | 128 ---------------------
 mail-client/neomutt/neomutt-20200821.ebuild    | 149 -------------------------
 mail-client/neomutt/neomutt-20200925.ebuild    | 149 -------------------------
 mail-client/neomutt/neomutt-20201120.ebuild    | 149 -------------------------
 6 files changed, 728 deletions(-)
Comment 17 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-03 17:56:09 UTC
Thank you! Now security needs to vote.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2021-01-26 23:44:08 UTC
This issue was resolved and addressed in
 GLSA 202101-32 at https://security.gentoo.org/glsa/202101-32
by GLSA coordinator Sam James (sam_c).