GnuPG CVE-2018-12020 and Mutt

Kevin J. McCarthy kevin at
Fri Jun 8 23:28:36 UTC 2018

Hi Mutt Users,

GnuPG just released an important security fix involving injection into
the status-fd channel.  The details are at

If you are using the suggested values in contrib/gpg.rc, it should NOT
be necessary to switch to using GPGME (despite what they said in their

Specifically make sure you have "--no-verbose" in $pgp_decode_command,
$pgp_verify_command, and $pgp_decrypt_command.

There are a couple other (non-critical) issues Marcus Brinkmann found
and reported to Mutt.  They are mitigated by the new GnuPG release, and
by fixes in Mutt's stable branch.  I will release a new stable version
in the next couple weeks.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Mutt-announce mailing list