+++ This bug was initially created as a clone of Bug #26852 +++ Debian has issued advisories on June 19 and 21: https://www.debian.org/security/2020/dsa-4707 https://www.debian.org/security/2020/dsa-4708 The issues are fixed upstream in mutt 1.14.4 and neomutt 20200619. Commits for neomutt appear to be: https://github.com/neomutt/neomutt/commit/fb013ec666759cb8a9e294347c7b4c1f597639cc https://github.com/neomutt/neomutt/commit/9909cde1f332d2f641c6aec0eb92adf0a150c7e5 https://github.com/neomutt/neomutt/commit/cf3483f485001b170d27299f76b3ffd4c89897a7 https://github.com/neomutt/neomutt/commit/37c98ed320e5e2ba4824d6338b06f564f27aa7ad It looks like the last two are actually post 20200619, so should be added in Cauldron also. openSUSE has issued an advisory on June 30: https://lists.opensuse.org/opensuse-updates/2020-06/msg00165.html This fixes an additional issue, CVE-2020-14154, also fixed in 1.14.3. Let's make sure we have that fix for mutt and neomutt too: https://bugzilla.suse.com/show_bug.cgi?id=1172906#c4
Cauldron has been updated to version 20200925.
Mageia 7 needs to be updated.
Ubuntu has issued an advisory on November 25: https://ubuntu.com/security/notices/USN-4645-1 Upstream commit: https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06 Issue fixed in 20201120.
Summary: neomutt new security issues CVE-2020-14093, CVE-2020-14154, and CVE-2020-14954 => neomutt new security issues CVE-2020-14093, CVE-2020-14154, CVE-2020-14954, CVE-2020-28896
openSUSE has issued an advisory for neomutt on December 1: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RDM45YGFPRPSTCQV554CQT4P74X6HNGI/
*** Bug 27809 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
Status comment: (none) => Fixed upstream in 20201120
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Status: NEW => RESOLVEDResolution: (none) => OLD