mutt 2.2.3 released
Kevin J. McCarthy
kevin at 8t8.us
Tue Apr 12 20:16:44 UTC 2022
Hello Mutt Users,
I've just released version 2.2.3. Instructions for downloading are
available at <http://www.mutt.org/download.html>, or the tarball can be
directly downloaded from <http://ftp.mutt.org/pub/mutt/>. Please take
the time to verify the signature file against my public key[1].
This is a bug-fix release, addressing CVE-2022-1328: a buffer overread
in the uuencoded decoder routine. For more details please see GitLab
ticket 404: <https://gitlab.com/muttmua/mutt/-/issues/404>. The commit
fixing this issue is at
<https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5>
Also fixed were a possible integer overflow issue in the general iconv
and rfc2047-conversion iconv functions. These are not believed to be
exploitable.
A huge thank you to Tavis Ormandy for reporting these issues, suggesting
a patch for the iconv issue, helping test, and providing constructive
feedback. Hurray for the white-hats!
-Kevin
[1]
My public key is available at:
- my personal website: https://www.8t8.us/configs/80316BDA.asc.pubkey
- the mutt website: http://www.mutt.org/keys/kevin.key
- The keys.openpgp.org network
https://keys.openpgp.org/vks/v1/by-fingerprint/8975A9B33AA37910385C5308ADEF768480316BDA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-announce/attachments/20220412/8069e6d5/attachment.asc>
More information about the Mutt-announce
mailing list