Ubuntu has issued an advisory on November 25: https://ubuntu.com/security/notices/USN-4645-1 The issue is fixed upstream in 2.0.2.
Backported an upstream patch to fix the bug. Please test mutt-1.11.4-1.4.mga7.
Assignee: jani.valimaa => qa-bugs
SRPMS: mutt-1.11.4-1.4.mga7 RPMS: mutt-1.11.4-1.4.mga7 mutt-doc-1.11.4-1.4.mga7
CC: (none) => jani.valimaa
Advisory: ======================== Updated mutt packages fix security vulnerability: Mutt before 2.0.2 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle (CVE-2020-28896). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28896 https://ubuntu.com/security/notices/USN-4645-1
MGA7-64 MATE on PeaqC1011 No installation issues Ref bug 26852 for test # mutt -f /var/spool/mail/postfix 25 kept, 28 deleted. I coukd read and delete (as shown in the feedback) some messages. reopening just confirm the operations worked out OK. # mutt -f /var/spool/mail/postfix 25 kept, 0 deleted.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Advisory pushed to SVN. Someone can test IMAP SSL with mutt?
CC: (none) => ouaurelien
Validating Advisory pushed.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0448.html
Status: NEW => RESOLVEDResolution: (none) => FIXED