Bug 28159 - mutt new denial of service security issue (CVE-2021-3181)
Summary: mutt new denial of service security issue (CVE-2021-3181)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 28296
  Show dependency treegraph
 
Reported: 2021-01-18 17:05 CET by David Walser
Modified: 2021-02-05 12:56 CET (History)
3 users (show)

See Also:
Source RPM: mutt-1.11.4-1.4.mga7.src.rpm
CVE: CVE-2021-3181
Status comment:


Attachments

Description David Walser 2021-01-18 17:05:31 CET
A denial of service issue due to memory leak has been fixed upstream in mutt:
https://www.openwall.com/lists/oss-security/2021/01/17/2

The commit that fixed the issue is linked from the message above.

Mageia 7 may also be affected (and maybe neomutt?).
Comment 1 Nicolas Lécureuil 2021-01-19 09:40:00 CET
fixed on mga8.

Valid on mga7

src: 
    mutt-1.11.4-1.5.mga7

CC: (none) => mageia
Assignee: jani.valimaa => qa-bugs
Version: Cauldron => 7

Comment 2 David Walser 2021-01-19 14:48:25 CET
Nicolas, did you check neomutt?  (also, the package is unmaintained for mga7)

As for mutt:
mutt-1.11.4-1.5.mga7
mutt-doc-1.11.4-1.5.mga7

from mutt-1.11.4-1.5.mga7.src.rpm
Comment 3 David Walser 2021-01-20 14:34:55 CET
CVE-2021-3181 has been assigned for this:
https://www.openwall.com/lists/oss-security/2021/01/19/10

Summary: mutt new denial of service security issue => mutt new denial of service security issue (CVE-2021-3181)

Comment 4 David Walser 2021-01-21 16:44:30 CET
Debian-LTS has issued an advisory for this today (January 21):
https://www.debian.org/lts/security/2021/dla-2529
Comment 5 David Walser 2021-01-26 05:40:02 CET
Ubuntu has issued an advisory for this today (January 25):
https://ubuntu.com/security/notices/USN-4703-1

Status comment: (none) => mutt patched, need to check if neomutt is affected
Severity: normal => major

Aurelien Oudelet 2021-02-04 18:56:58 CET

CVE: (none) => CVE-2021-3181
Source RPM: mutt-2.0.4-1.mga8.src.rpm => mutt-1.11.4-1.4.mga7.src.rpm
CC: (none) => ouaurelien

Comment 6 Aurelien Oudelet 2021-02-05 10:28:29 CET
MGA7 64 Plasma + Postfix mail server to serve root mail.

No installation issues with QA Repo
Look previous BR, and see the advice from Mike in bug 25909 and run
# mutt -f /var/spool/mail/root
13 kept, 0 deleted.
See all MSEC reports.

Looks OK for me.

Validating.
Advisory pushed to SVN.

Not sure: Neomutt is not patched? (not in updates_testing).

Keywords: (none) => advisory
Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2021-02-05 10:30:14 CET

Blocks: (none) => 28296

Aurelien Oudelet 2021-02-05 10:31:37 CET

Keywords: (none) => validated_update
Status comment: mutt patched, need to check if neomutt is affected => (none)
CC: (none) => sysadmin-bugs
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=28296

Comment 7 Mageia Robot 2021-02-05 12:56:21 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0070.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.