Mutt and EFAIL

Kevin J. McCarthy kevin at
Sat May 19 23:03:27 UTC 2018

I've received a few questions about EFAIL and whether this release has
any related changes, so I hope you'll forgive me for sending a second
mutt-announce email today.

For those unaware, disclosed an attack on OpenPGP and
S/MIME emails this past week.  The researchers reported mutt-1.7.2 was
not successfully attacked.

So, the short answer is no, mutt-1.10.0 has no changes made as a result
of EFAIL, and the pgp/smime configuration variable changes in this
release are unrelated.

I am neither a security researcher nor a cryptographer, but here are my
current takeaways and suggestions:

* If you are using a version of mutt before 1.6.0 and rely on OpenPGP
  encryption, please upgrade.  1.6.0 introduced $pgp_decryption_okay,
  which scans the GnuPGP status output for a successful decryption code.

* Please make sure you update your config to the values suggested
  in contrib/gpg.rc (again, in particular $pgp_decryption_okay).

* Opening a decrypted email in an external browser should be considered
  unsafe.  Part of the attack was due to HTML injection.

* I don't believe autoviewing dumped HTML via lynx, elinks, etc is an
  issue.  However, the researchers did not specifically test that.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Mutt-announce mailing list