CVE status and regression in 1.14.3 release
Kevin J. McCarthy
kevin at 8t8.us
Sat Jun 20 21:49:56 UTC 2020
Hello Mutt Users,
Please pardon the "non-announcement" use of this list. I generally try
to keep the noise to a minimum, but felt this update was needed.
The 1.14.3 release, fixing a possible IMAP PREAUTH injection attack, had
a regression. Those using $tunnel to an IMAP server may now encounter
an error "Encrypted connection unavailable" unless they change
$ssl_starttls.
I've committed a fix:
<https://gitlab.com/muttmua/mutt/-/commit/dc909119b3433a84290f0095c0f43a23b98b3748>
but won't be able to make a release for 2-3 days. Packagers may wish to
apply the patch. Users encountering the problem should set
$ssl_starttls to "ask-yes", "ask-no", or "no" (with caution) for the
time being.
In the release for 1.14.4, I promised a CVE number, but I have had no
success so far, despite waiting a day and submitting again. I may just
be doing something wrong, so if any packager with more experience
creating CVEs would like to do so for that release, I would greatly
appreciate it. (Perhaps also sending an email to mutt-dev, to avoid
multiple submissions).
Thank you,
-Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mutt.org/pipermail/mutt-users/attachments/20200620/e071b36d/attachment.asc>
More information about the Mutt-users
mailing list