| Summary: | mutt new security issues CVE-2020-14093, CVE-2020-14154, and CVE-2020-14954 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, jani.valimaa, sysadmin-bugs |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | mutt-1.11.4-1.1.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 27232 | ||
|
Description
David Walser
2020-06-23 23:50:45 CEST
David Walser
2020-06-23 23:50:58 CEST
CC:
(none) =>
jani.valimaa, smelror Assigning to Jani as the active registered maintainer of this (removed his CC). Assignee:
bugsquad =>
jani.valimaa Mutt is already fixed in cauldron. Pushed mutt-1.11.4-1.2.mga7 with patches from upstream to core/udpates_testing for mga7. SRPMS: mutt-1.11.4-1.2.mga7 RPMS: mutt-1.11.4-1.2.mga7 mutt-doc-1.11.4-1.2.mga7 Assigning to Stig for neomutt part. CC:
smelror =>
jani.valimaa Commits for neomutt appear to be: https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc https://github.com/neomutt/neomutt/commit/9909cde1f332d2f641c6aec0eb92adf0a150c7e5 https://github.com/neomutt/neomutt/commit/cf3483f485001b170d27299f76b3ffd4c89897a7 https://github.com/neomutt/neomutt/commit/37c98ed320e5e2ba4824d6338b06f564f27aa7ad It looks like the last two are actually post 20200619, so should be added in Cauldron also. Also mutt 1.14.5 is out, so it should be updated in Cauldron. openSUSE has issued an advisory on June 30: https://lists.opensuse.org/opensuse-updates/2020-06/msg00165.html This fixes an additional issue, CVE-2020-14154, also fixed in 1.14.3. Let's make sure we have that fix for mutt and neomutt too: https://bugzilla.suse.com/show_bug.cgi?id=1172906#c4 Summary:
mutt, neomutt new security issues CVE-2020-14093 and CVE-2020-14954 =>
mutt, neomutt new security issues CVE-2020-14093, CVE-2020-14154, and CVE-2020-14954 Stig-Ørjan, ping! We need you to fix neonutt.
David Walser
2020-08-31 14:48:15 CEST
Blocks:
(none) =>
27232 neomutt split to Bug 27232. Advisory: ======================== Updated mutt packages fix security vulnerabilities: A potential IMAP Man-in-the-Middle attack via a PREAUTH response (CVE-2020-14093). Mutt was ignoring an expired certificate and was proceeding with a connection (CVE-2020-14154). A response injection due to a STARTTLS buffering issue which was affecting IMAP, SMTP, and POP3 (CVE-2020-14954). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14093 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14154 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14954 https://lists.opensuse.org/opensuse-updates/2020-06/msg00165.html ======================== Updated packages in core/updates_testing: ======================== mutt-1.11.4-1.3.mga7 mutt-doc-1.11.4-1.3.mga7 from mutt-1.11.4-1.3.mga7.src.rpm Assignee:
smelror =>
qa-bugs MGA7-64 Plasma on Lenovo B50 No installation issues. Took the advice from Mike in bug 25909 and run # mutt -f /var/spool/mail/postfix 45 kept, 0 deleted. answering no to the question of creating an acount for root, so I could have a look at the exiwting mails. Works OK CC:
(none) =>
herman.viaene Validating. Advisory in Comment 7. Keywords:
(none) =>
validated_update
Aurelien Oudelet
2020-09-01 15:41:15 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0357.html Status:
NEW =>
RESOLVED |