Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728294 - <mail-client/mutt-1.14.3: Multiple vulnerabilities
Summary: <mail-client/mutt-1.14.3: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.mutt.org/pipermail/mutt-...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: CVE-2020-14954
Blocks: CVE-2020-14093, CVE-2020-14154
  Show dependency tree
 
Reported: 2020-06-14 22:09 UTC by Sam James
Modified: 2020-07-28 19:43 UTC (History)
2 users (show)

See Also:
Package list:
=mail-client/mutt-1.14.3
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-06-14 22:09:16 UTC
Description:
"This is an important security release fixing two issues.

The first is a possible IMAP man-in-the-middle attack.  No credentials 
are exposed, but could result in unintended emails being "saved" to an 
attacker's server.  The $ssl_starttls quadoption is now used to check 
for an unencrypted PREAUTH response from the server.

Thanks very much to Damian Poddebniak and Fabian Ising from the Münster 
University of Applied Sciences for reporting this issue, and their help 
in testing the fix.

The second fix is for a problem with GnuTLS certificate prompting. 
"Rejecting" an expired intermediate cert did not terminate the 
connection.  Thanks to @henk on IRC for reporting the issue."
Comment 1 Sam James gentoo-dev Security 2020-06-14 22:10:07 UTC
@maintainer(s), please bump to 1.14.3.
Comment 2 John Helmert III (ajak) 2020-06-15 17:10:46 UTC
(In reply to Sam James (sec padawan) from comment #0)
> Description:
> "This is an important security release fixing two issues.
> 
> The first is a possible IMAP man-in-the-middle attack.  No credentials 
> are exposed, but could result in unintended emails being "saved" to an 
> attacker's server.  The $ssl_starttls quadoption is now used to check 
> for an unencrypted PREAUTH response from the server.

This was assigned CVE-2020-14093.
Comment 3 Larry the Git Cow gentoo-dev 2020-06-15 19:49:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cdea241a6c518a14f1fc0f20dc2562bf3621ddf

commit 6cdea241a6c518a14f1fc0f20dc2562bf3621ddf
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-06-15 19:48:18 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-06-15 19:49:00 +0000

    mail-client/mutt-1.14.3: version bump fixing security issues
    
    Bug: https://bugs.gentoo.org/728294
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 mail-client/mutt/Manifest                                      | 4 ++--
 mail-client/mutt/{mutt-1.14.0-r1.ebuild => mutt-1.14.3.ebuild} | 0
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 4 Sam James gentoo-dev Security 2020-06-15 19:51:46 UTC
@maintainer(s), let us know when ready for stabilisation, thanks for quick bump
Comment 5 Fabian Groffen gentoo-dev 2020-06-15 19:54:07 UTC
1.14.3 is basically 1.14.2 + security fixes.

I'm using 1.14.2 for a while without issues, so basically 1.14.3 is ready whenever you are.

Thanks!
Comment 6 Sam James gentoo-dev Security 2020-06-15 22:16:50 UTC
(In reply to Fabian Groffen from comment #5)
> 1.14.3 is basically 1.14.2 + security fixes.
> 
> I'm using 1.14.2 for a while without issues, so basically 1.14.3 is ready
> whenever you are.
> 
> Thanks!

Thanks! Let's go for it
Comment 7 Rolf Eike Beer 2020-06-16 16:43:36 UTC
sparc stable
Comment 8 Rolf Eike Beer 2020-06-17 21:14:13 UTC
hppa stable
Comment 9 Sam James gentoo-dev Security 2020-06-19 12:43:54 UTC
We'll stabilise 1.14.4 instead in bug 728708.
Comment 10 NATTkA bot gentoo-dev 2020-06-19 12:48:28 UTC
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 11 NATTkA bot gentoo-dev 2020-06-25 09:12:32 UTC
Unable to check for sanity:

> no match for package: =mail-client/mutt-1.14.3
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:43:02 UTC
This issue was resolved and addressed in
 GLSA 202007-57 at https://security.gentoo.org/glsa/202007-57
by GLSA coordinator Sam James (sam_c).