Bug 27232

Summary: neomutt new security issues CVE-2020-14093, CVE-2020-14154, CVE-2020-14954, CVE-2020-28896
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Stig-Ørjan Smelror <smelror>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: zombie_ryushu
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: neomutt-20180716-0.4.mga7.src.rpm CVE:
Status comment: Fixed upstream in 20201120
Bug Depends on: 26852    
Bug Blocks:    

Description David Walser 2020-08-31 14:48:15 CEST 
+++ This bug was initially created as a clone of Bug #26852 +++

Debian has issued advisories on June 19 and 21:
https://www.debian.org/security/2020/dsa-4707
https://www.debian.org/security/2020/dsa-4708

The issues are fixed upstream in mutt 1.14.4 and neomutt 20200619.

Commits for neomutt appear to be:
https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc
https://github.com/neomutt/neomutt/commit/9909cde1f332d2f641c6aec0eb92adf0a150c7e5
https://github.com/neomutt/neomutt/commit/cf3483f485001b170d27299f76b3ffd4c89897a7
https://github.com/neomutt/neomutt/commit/37c98ed320e5e2ba4824d6338b06f564f27aa7ad

It looks like the last two are actually post 20200619, so should be added in Cauldron also.

openSUSE has issued an advisory on June 30:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00165.html

This fixes an additional issue, CVE-2020-14154, also fixed in 1.14.3.

Let's make sure we have that fix for mutt and neomutt too:
https://bugzilla.suse.com/show_bug.cgi?id=1172906#c4
Comment 1 Stig-Ørjan Smelror 2020-09-26 21:47:29 CEST 
Cauldron has been updated to version 20200925.
Comment 2 David Walser 2020-09-26 22:04:02 CEST 
Mageia 7 needs to be updated.
Comment 3 David Walser 2020-11-29 17:06:28 CET 
Ubuntu has issued an advisory on November 25:
https://ubuntu.com/security/notices/USN-4645-1

Upstream commit:
https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06

Issue fixed in 20201120.

Summary: neomutt new security issues CVE-2020-14093, CVE-2020-14154, and CVE-2020-14954 => neomutt new security issues CVE-2020-14093, CVE-2020-14154, CVE-2020-14954, CVE-2020-28896

Comment 4 David Walser 2020-12-02 16:54:38 CET 
openSUSE has issued an advisory for neomutt on December 1:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RDM45YGFPRPSTCQV554CQT4P74X6HNGI/
Comment 5 David Walser 2020-12-13 04:44:21 CET 
*** Bug 27809 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

David Walser 2020-12-28 18:49:07 CET

Status comment: (none) => Fixed upstream in 20201120

Comment 6 David Walser 2021-07-01 18:24:15 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Status: NEW => RESOLVED
Resolution: (none) => OLD