Description: "This is an important security release fixing two issues. The first is a possible IMAP man-in-the-middle attack. No credentials are exposed, but could result in unintended emails being "saved" to an attacker's server. The $ssl_starttls quadoption is now used to check for an unencrypted PREAUTH response from the server. Thanks very much to Damian Poddebniak and Fabian Ising from the Münster University of Applied Sciences for reporting this issue, and their help in testing the fix. The second fix is for a problem with GnuTLS certificate prompting. "Rejecting" an expired intermediate cert did not terminate the connection. Thanks to @henk on IRC for reporting the issue."
@maintainer(s), please bump to 1.14.3.
(In reply to Sam James (sec padawan) from comment #0) > Description: > "This is an important security release fixing two issues. > > The first is a possible IMAP man-in-the-middle attack. No credentials > are exposed, but could result in unintended emails being "saved" to an > attacker's server. The $ssl_starttls quadoption is now used to check > for an unencrypted PREAUTH response from the server. This was assigned CVE-2020-14093.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cdea241a6c518a14f1fc0f20dc2562bf3621ddf commit 6cdea241a6c518a14f1fc0f20dc2562bf3621ddf Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-06-15 19:48:18 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-06-15 19:49:00 +0000 mail-client/mutt-1.14.3: version bump fixing security issues Bug: https://bugs.gentoo.org/728294 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Fabian Groffen <grobian@gentoo.org> mail-client/mutt/Manifest | 4 ++-- mail-client/mutt/{mutt-1.14.0-r1.ebuild => mutt-1.14.3.ebuild} | 0 2 files changed, 2 insertions(+), 2 deletions(-)
@maintainer(s), let us know when ready for stabilisation, thanks for quick bump
1.14.3 is basically 1.14.2 + security fixes. I'm using 1.14.2 for a while without issues, so basically 1.14.3 is ready whenever you are. Thanks!
(In reply to Fabian Groffen from comment #5) > 1.14.3 is basically 1.14.2 + security fixes. > > I'm using 1.14.2 for a while without issues, so basically 1.14.3 is ready > whenever you are. > > Thanks! Thanks! Let's go for it
sparc stable
hppa stable
We'll stabilise 1.14.4 instead in bug 728708.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Unable to check for sanity: > no match for package: =mail-client/mutt-1.14.3
This issue was resolved and addressed in GLSA 202007-57 at https://security.gentoo.org/glsa/202007-57 by GLSA coordinator Sam James (sam_c).