Summary: | <mail-client/mutt-2.0.2: May not detect failed handshake (CVE-2020-28896) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | grobian |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20201116/000031.html | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 755863 |
Description
Sam James
2020-11-20 18:43:30 UTC
Please bump to 2.0.2. Thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a444dde143f9c29e5331888ddc10d0139827666f commit a444dde143f9c29e5331888ddc10d0139827666f Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-11-20 18:59:24 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-11-20 18:59:24 +0000 mail-client/mutt-2.0.2: bump for CVE-2020-28896 Bug: https://bugs.gentoo.org/755866 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 4 ++-- mail-client/mutt/{mutt-2.0.0.ebuild => mutt-2.0.2.ebuild} | 3 --- 2 files changed, 2 insertions(+), 5 deletions(-) Let us know when ready to stable, thank you for the quick bump! mutt-2.0.2 is effectively equal to 2.0.0 with addition of a small type-fix (not affecting Linux) and the small bugfix for the CVE. mutt-2.0.0 was introduced Nov 9. Considering 2.0.2 as a behaviour controlled close to indentical to 2.0.0, normal stabilisation rules would allow earliest stabilisation Dec 9th. (In reply to Fabian Groffen from comment #4) > mutt-2.0.2 is effectively equal to 2.0.0 with addition of a small type-fix > (not affecting Linux) and the small bugfix for the CVE. mutt-2.0.0 was > introduced Nov 9. Considering 2.0.2 as a behaviour controlled close to > indentical to 2.0.0, normal stabilisation rules would allow earliest > stabilisation Dec 9th. We don't need to apply the normal rules for security bugs, it's usually ASAP, provided you're satisfied it works. Given this has just come off the back of 2.0.0, we'll give it a few days, see if any bugs pop up, and go from there? I've been using it non-stop since it's introduction, I think it's OK for stabilisation, but let's give it the weekend to see if anything pops up. (In reply to Fabian Groffen from comment #6) > I've been using it non-stop since it's introduction, I think it's OK for > stabilisation, but let's give it the weekend to see if anything pops up. ACK, thanks Fabian! Ready to roll, I assume? :) yes, go ahead x86 stable amd64 stable ppc stable sparc stable ppc64 stable arm done hppa stable All arches done, thanks ATs! Maintainer, please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=485d5cdad8ecfbfafb6dbfa54a9e059211a2e747 commit 485d5cdad8ecfbfafb6dbfa54a9e059211a2e747 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-11-27 08:00:26 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-11-27 08:00:26 +0000 mail-client/mutt: cleanup old Bug: https://bugs.gentoo.org/755866 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 6 - .../mutt-1.14.4-no-imap-preauth-with-tunnel.patch | 30 --- mail-client/mutt/mutt-1.14.4-r1.ebuild | 273 --------------------- mail-client/mutt/mutt-1.14.5.ebuild | 265 -------------------- mail-client/mutt/mutt-1.14.7.ebuild | 265 -------------------- 5 files changed, 839 deletions(-) Obsoleted by bug 765790. This issue was resolved and addressed in GLSA 202101-32 at https://security.gentoo.org/glsa/202101-32 by GLSA coordinator Sam James (sam_c). |