Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728302 - <mail-client/neomutt-20200619: Multiple vulnerabilities
Summary: <mail-client/neomutt-20200619: Multiple vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+]
Keywords: CC-ARCHES
Depends on: 728980
Blocks: CVE-2020-14093, CVE-2020-14154
  Show dependency tree
Reported: 2020-06-14 22:59 UTC by Sam James
Modified: 2020-07-29 00:23 UTC (History)
2 users (show)

See Also:
Package list:
=mail-client/neomutt-20200626 amd64 x86
Runtime testing required: ---
nattka: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-06-14 22:59:50 UTC
Vulnerable to the same issues as mail-client/mutt (see tracker).

From ajak (thanks!):
<ajak> lead neomutt dev: [22:52] < flatcap> ajak: yes, neomutt is still very similar to mutt and is affected
Comment 1 Sam James archtester gentoo-dev Security 2020-06-14 23:01:30 UTC
[00:01:34]  <ajak> oh, flatcap also said neomutt release due friday
Comment 2 John Helmert III gentoo-dev Security 2020-06-19 18:48:07 UTC
From the 20200619 changelog:

Prevent possible IMAP MITM via PREAUTH response

Looks like we're good on the second Mutt issue on Neomutt with this release. Maintainer(s), please bump.
Comment 3 Sam James archtester gentoo-dev Security 2020-06-19 20:16:48 UTC
Acked on IRC
Comment 4 John Helmert III gentoo-dev Security 2020-06-26 17:59:42 UTC
Release 20200626 is probably a better candidate for stabilization when it gets an ebuild due to runtime breakage:
Comment 5 Nicolas Bock gentoo-dev 2020-06-29 13:19:02 UTC
I pushed 2020-06-26 to tree.
Comment 6 Sam James archtester gentoo-dev Security 2020-07-26 15:31:37 UTC
GLSA vote: yes
Comment 7 Sam James archtester gentoo-dev Security 2020-07-27 21:15:29 UTC
amd64 stable
Comment 8 Sam James archtester gentoo-dev Security 2020-07-27 22:25:59 UTC
x86 stable. Please cleanup.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:43:11 UTC
This issue was resolved and addressed in
 GLSA 202007-57 at
by GLSA coordinator Sam James (sam_c).
Comment 10 Sam James archtester gentoo-dev Security 2020-07-28 19:45:09 UTC
Reopening for cleanup.
Comment 11 Larry the Git Cow gentoo-dev 2020-07-29 00:20:01 UTC
The bug has been referenced in the following commit(s):

commit 68fc4385c792dd15b53c29355943fd94e1ef801f
Author:     Sam James <>
AuthorDate: 2020-07-29 00:19:28 +0000
Commit:     Sam James <>
CommitDate: 2020-07-29 00:19:39 +0000

    mail-client/neomutt: security cleanup
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <>

 mail-client/neomutt/Manifest                |   3 -
 mail-client/neomutt/metadata.xml            |   4 -
 mail-client/neomutt/neomutt-20180716.ebuild | 130 ----------------------------
 mail-client/neomutt/neomutt-20200501.ebuild | 128 ---------------------------
 mail-client/neomutt/neomutt-20200619.ebuild | 128 ---------------------------
 5 files changed, 393 deletions(-)