CVE status and regression in 1.14.3 release

Kevin J. McCarthy kevin at 8t8.us
Sat Jun 20 21:49:56 UTC 2020


Hello Mutt Users,

Please pardon the "non-announcement" use of this list.  I generally try 
to keep the noise to a minimum, but felt this update was needed.

The 1.14.3 release, fixing a possible IMAP PREAUTH injection attack, had 
a regression.  Those using $tunnel to an IMAP server may now encounter 
an error "Encrypted connection unavailable" unless they change 
$ssl_starttls.

I've committed a fix: 
<https://gitlab.com/muttmua/mutt/-/commit/dc909119b3433a84290f0095c0f43a23b98b3748> 
but won't be able to make a release for 2-3 days.  Packagers may wish to 
apply the patch.  Users encountering the problem should set 
$ssl_starttls to "ask-yes", "ask-no", or "no" (with caution) for the 
time being.

In the release for 1.14.4, I promised a CVE number, but I have had no 
success so far, despite waiting a day and submitting again.  I may just 
be doing something wrong, so if any packager with more experience 
creating CVEs would like to do so for that release, I would greatly 
appreciate it.  (Perhaps also sending an email to mutt-dev, to avoid 
multiple submissions).

Thank you,

-Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-announce/attachments/20200620/e071b36d/attachment.asc>


More information about the Mutt-announce mailing list