Bug 27686

Summary: mutt new security issue CVE-2020-28896
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, jani.valimaa, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: mutt-1.11.4-1.3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-11-29 17:04:54 CET 
Ubuntu has issued an advisory on November 25:
https://ubuntu.com/security/notices/USN-4645-1

The issue is fixed upstream in 2.0.2.
Comment 1 Jani Välimaa 2020-11-29 18:39:08 CET 
Backported an upstream patch to fix the bug. Please test mutt-1.11.4-1.4.mga7.

Assignee: jani.valimaa => qa-bugs

Comment 2 Jani Välimaa 2020-11-29 18:40:22 CET 
SRPMS:
mutt-1.11.4-1.4.mga7

RPMS:
mutt-1.11.4-1.4.mga7
mutt-doc-1.11.4-1.4.mga7

CC: (none) => jani.valimaa

Comment 3 David Walser 2020-11-29 18:46:19 CET 
Advisory:
========================

Updated mutt packages fix security vulnerability:

Mutt before 2.0.2 did not ensure that $ssl_force_tls was processed if an IMAP
server's initial server response was invalid. The connection was not properly
closed, and the code could continue attempting to authenticate. This could
result in authentication credentials being exposed on an unencrypted
connection, or to a machine-in-the-middle (CVE-2020-28896).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28896
https://ubuntu.com/security/notices/USN-4645-1
Comment 4 Herman Viaene 2020-11-30 12:19:20 CET 
MGA7-64 MATE on PeaqC1011
No installation issues
Ref bug 26852 for test
# mutt -f /var/spool/mail/postfix
25 kept, 28 deleted.
I coukd read and delete (as shown in the feedback) some messages. reopening just confirm the operations worked out OK.
# mutt -f /var/spool/mail/postfix
25 kept, 0 deleted.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Aurelien Oudelet 2020-12-01 10:37:48 CET 
Advisory pushed to SVN.

Someone can test IMAP SSL with mutt?

CC: (none) => ouaurelien

Comment 6 Aurelien Oudelet 2020-12-05 17:27:14 CET 
Validating
Advisory pushed.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2020-12-05 20:48:13 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0448.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED