Mutt 2.2.3 has been announced on April 12, fixing a security issue: https://marc.info/?l=mutt-users&m=164979464612885&w=2 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.2.3
Fixed in cauldron with mutt-2.2.3-1.mga9.
Whiteboard: MGA8TOO => (none)Source RPM: mutt-2.2.2-1.mga9.src.rpm => mutt-2.0.5-1.mga8Version: Cauldron => 8URL: (none) => https://gitlab.com/muttmua/mutt/-/issues/404
Please test mutt-2.0.5-1.1.mga8 from core/updates_testing. It includes the fix from upstream: https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
mutt-2.0.5-1.1.mga8 mutt-doc-2.0.5-1.1.mga8 from mutt-2.0.5-1.1.mga8.src.rpm
Status comment: Fixed upstream in 2.2.3 => (none)
neomutt-doc-20220415-1.mga8 neomutt-20220415-1.mga8 from neomutt-20220415-1.mga8.src.rpm
CVE: (none) => CVE-2022-1328Summary: mutt new security issue CVE-2022-1328 => mutt/neomutt new security issue CVE-2022-1328CC: (none) => smelrorSource RPM: mutt-2.0.5-1.mga8 => mutt-2.0.5-1.mga8, neomutt-20210205-1.mga8
openSUSE has issued an advisory for this on April 25: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DR7ZSOKFQZ5EIKQHLZ37AMGVPDGDIJ5W/
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Test as bug 28159 Comment 5 (this is a new user on the system!!! $ mutt -f /var/spool/mail/tester8 Mailbox is unchanged. Tried again to do a real mail after configuring .muttrc (my regular account is a pop accunt, no authentication at smtp, but I keep running into problems as in bug 25909 $ echo "" | mutt -s "testmutt" -i body.txt herman.viaene@hotmail.be TLSv1.3 connection using TLSv1.3 (TLS_AES_256_GCM_SHA384) SASL authentication failed Could not send the message. Googled a lot but found no solution , bug 28159 was OK'ed with the first test????
CC: (none) => herman.viaene
Ubuntu has issued an advisory on April 28: https://ubuntu.com/security/notices/USN-5392-1 Another issue was fixed upstream in mutt 2.0.7. I'm not sure about neomutt.
Assignee: qa-bugs => jani.valimaaSummary: mutt/neomutt new security issue CVE-2022-1328 => mutt/neomutt new security issues CVE-2021-32055 and CVE-2022-1328Status comment: (none) => Fixed upstream in 2.0.7
Fedora has issued an advisory for this today (June 10): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/35CD7NH4NFPF5OEG2PHI3CZ3UOK3ICXR/
openSUSE has issued an advisory for neomutt today (June 21): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YAIJ2AOB7KV4ZEDS2ZHBBCKGSPYKSKDI/
mutt 2.0.7 pushed to mga8 updates_testing.
CC: (none) => brunoAssignee: jani.valimaa => qa-bugsStatus: NEW => ASSIGNED
Thanks. We most likely need neomutt updated again as well.
Assignee: qa-bugs => pkg-bugsStatus comment: Fixed upstream in 2.0.7 => (none)
neomutt 2023-05-17 pushed as well.
Assignee: pkg-bugs => qa-bugs
mutt-2.0.7-1.1.mga8 mutt-doc-2.0.7-1.1.mga8 neomutt-doc-20230517-1.mga8 neomutt-20230517-1.mga8 from SRPMS: mutt-2.0.7-1.1.mga8.src.rpm neomutt-20230517-1.mga8.src.rpm
MGA8-64 MATE on Acer Aspire 5253 No installation issues Tried to follow procedure from bug 25909, but keep getting problems with authentication $ echo "" | mutt -s "testmutt" -i body.txt herman.viaene@hotmail.be TLSv1.3 connection using TLSv1.3 (TLS_AES_256_GCM_SHA384) No authenticators available Could not send the message. My muttrc reads # About Me set from = "hviaene@gmail.com" set realname = "Ikke Thuis" # My credentials set smtp_url = "smtp://hviaene@gmail.com@smtp.gmail.com:587/" set smtp_pass = "<passwd>" set imap_user = "hviaene@gmail.com" set imap_pass = "<passwd" set smtp_authenticators="sasl" set ssl_starttls = yes set ssl_force_tls = yes # My mailboxes set folder = "imaps://imap.gmail.com:993" set spoolfile = "+INBOX" # Where to put the stuff set header_cache = "~/.mutt/cache/headers" set message_cachedir = "~/.mutt/cache/bodies" set certificate_file = "~/.mutt/certificates" # Etc set mail_check = 30 set move = no set imap_keepalive = 900 set sort = threads set editor = "vim" # GnuPG bootstrap # source ~/.mutt/gpg.rc
(In reply to Herman Viaene from comment #14) > $ echo "" | mutt -s "testmutt" -i body.txt herman.viaene@hotmail.be > TLSv1.3 connection using TLSv1.3 (TLS_AES_256_GCM_SHA384) > No authenticators available > Could not send the message. Humm, I don't use TLS, but have my own SMTP postfix server and since yesterday I have used mutt 2.0.7 to send and receive messages without issue, so I think this is linked more to your setup rather than the tool itself :-( > My muttrc reads > # About Me > set from = "hviaene@gmail.com" > set realname = "Ikke Thuis" > # My credentials > set smtp_url = "smtp://hviaene@gmail.com@smtp.gmail.com:587/" > set smtp_pass = "<passwd>" > set imap_user = "hviaene@gmail.com" > set imap_pass = "<passwd" > set smtp_authenticators="sasl" > set ssl_starttls = yes > set ssl_force_tls = yes Seems linked to the sasl usage as smtp_authenticators. From the doc: The built-in SMTP support supports encryption (the smtps protocol using SSL or TLS) as well as SMTP authentication using SASL. The authentication mechanisms for SASL are specified in $smtp_authenticators defaulting to an empty list which makes Mutt try all available methods from most-secure to least-secure. So what happens if you comment it ? Also: 3.353. smtp_authenticators Type: string Default: (empty) This is a colon-delimited list of authentication methods mutt may attempt to use to log in to an SMTP server, in the order mutt should try them. Authentication methods are any SASL mechanism, e.g. “digest-md5”, “gssapi” or “cram-md5”. This option is case-insensitive. If it is “unset” (the default) mutt will try all available methods, in order from most-secure to least-secure. Example: set smtp_authenticators="digest-md5:cram-md5"
Any of the suggestions above resolves the authentication problem. But I agree to send it off based on Bruno's test. I'm not confident in my own knowledge of mutt.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0232.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED