mutt 1.14.3 released

Kevin J. McCarthy kevin at 8t8.us
Sun Jun 14 22:05:29 UTC 2020


Hello Mutt Users,

I've just released version 1.14.3.  Instructions for downloading are 
available at <http://www.mutt.org/download.html>, or the tarball can be 
directly downloaded from <http://ftp.mutt.org/pub/mutt/>.  Please take 
the time to verify the signature file against my public key.

This is an important security release fixing two issues.

The first is a possible IMAP man-in-the-middle attack.  No credentials 
are exposed, but could result in unintended emails being "saved" to an 
attacker's server.  The $ssl_starttls quadoption is now used to check 
for an unencrypted PREAUTH response from the server.

Thanks very much to Damian Poddebniak and Fabian Ising from the Münster 
University of Applied Sciences for reporting this issue, and their help 
in testing the fix.

The second fix is for a problem with GnuTLS certificate prompting. 
"Rejecting" an expired intermediate cert did not terminate the 
connection.  Thanks to @henk on IRC for reporting the issue.

-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-announce/attachments/20200614/b31d9198/attachment.asc>


More information about the Mutt-announce mailing list