openSUSE has issued an advisory on November 27: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZYFPGXOX4Q4I4UNPEGXP2N372IN2YSAS/ They updated neomutt to version 20241114 but Debian says version 20241002 already fixed those problems so it seems only Mageia 9 is affected.
Status comment: (none) => Fixed upstream in 20241002CVE: (none) => CVE-2024-49393, CVE-2024-49394Source RPM: (none) => neomutt-20230517-1.mga9.src.rpm
In Cauldron: Oct 3 (8 weeks ago) - Update to version 20241002 So, it is just a question of applying this version to M9 (+ advisory). Assigning to Stig who currently maintains this SRPM.
Assignee: bugsquad => smelror
Suggested advisory: ======================== The updated packages fix security vulnerabilities: to and cc email header fields are not protected by cryptographic signing. (CVE-2024-49393) in-reply-to email header field it not protected by cryptograpic signing. (CVE-2024-49394) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/ZYFPGXOX4Q4I4UNPEGXP2N372IN2YSAS/ ======================== Updated packages in core/updates_testing: ======================== neomutt-20241002-1.mga9 neomutt-doc-20241002-1.mga9 from SRPM: neomutt-20241002-1.mga9.src.rpm
Assignee: smelror => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Fixed upstream in 20241002 => (none)
Keywords: (none) => advisory
RH x86_64 installing neomutt-doc-20241002-1.mga9.noarch.rpm neomutt-20241002-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/2: neomutt-doc ################################################################################################## 2/2: neomutt ################################################################################################## 1/2: removing neomutt-20230517-1.mga9.x86_64 ################################################################################################## 2/2: removing neomutt-doc-20230517-1.mga9.noarch ################################################################################################## LC_ALL=C neomutt -v NeoMutt 20241002 Copyright (C) 2015-2024 Richard Russon and friends NeoMutt comes with ABSOLUTELY NO WARRANTY; for details type 'neomutt -vv'. NeoMutt is free software, and you are welcome to redistribute it under certain conditions; type 'neomutt -vv' for details. System: Linux 6.6.74-server-1.mga9 (x86_64) ncurses: ncurses 6.3.20221203 (compiled with 6.3.20221203) libidn2: 2.3.4 (compiled with 2.3.4) GPGME: 1.18.0 GnuTLS: 3.8.4 storage: kyotocabinet, bdb Configure options: --host=x86_64-mageia-linux-gnu --build=x86_64-mageia-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --lua --gpgme --full-doc --gnutls --gss --ssl --docdir=/usr/share/doc/neomutt-doc --bdb --pgp --smime --locales-fix --sasl --idn2 --disable-idn --libdir=/usr/lib64 --disable-maintainer-mode --disable-dependency-tracking --kyotocabinet --with-ui --with-sqlite=/usr/lib64 --with-lock Compilation CFLAGS: -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fasynchronous-unwind-tables -std=c11 -fno-delete-null-pointer-checks -D_ALL_SOURCE=1 -D_GNU_SOURCE=1 -D__EXTENSIONS__ -D_XOPEN_SOURCE_EXTENDED -I/usr/include/libassuan2 -I/usr/lib64/include -DNCURSES_WIDECHAR -I/usr/include -I/usr/include/p11-kit-1 -I/include -I/usr/include/ -O2 Compile options: -autocrypt +fcntl -flock -fmemopen +futimens +getaddrinfo +gnutls +gpgme -gsasl +gss +hcache -homespool +idn +inotify +locales_hack +lua +nls -notmuch -openssl +pgp +regex +sasl +smime +sqlite +truecolor MAILPATH="/var/mail" PKGDATADIR="/usr/share/neomutt" SENDMAIL="/usr/sbin/sendmail" SYSCONFDIR="/etc" To learn more about NeoMutt, visit: https://neomutt.org If you find a bug in NeoMutt, please raise an issue at: https://github.com/neomutt/neomutt/issues or send an email to: <neomutt-devel@neomutt.org> Not have mail server, so this is all the test I can do
Installed and minimally tested without issues. I don't normally use neomutt (or mutt) so the tests are very minimal. Configured IMAP and SMTP access for my Dovecot server using the following config example: https://github.com/neomutt/samples/wiki/Best-practice Tested: - IMAP account access; - browse email list; - view email, view attachment; - compose and send email; - delete email. $ uname -a Linux jupiter 6.6.77-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Feb 12 21:14:44 UTC 2025 x86_64 GNU/Linux $ rpm -qa | grep neomutt | sort neomutt-20241002-1.mga9 neomutt-doc-20241002-1.mga9
CC: (none) => mageia
(In reply to PC LX from comment #4) > Installed and minimally tested without issues. > > I don't normally use neomutt (or mutt) so the tests are very minimal. > > Configured IMAP and SMTP access for my Dovecot server using the following > config example: > https://github.com/neomutt/samples/wiki/Best-practice > > Tested: > - IMAP account access; > - browse email list; > - view email, view attachment; > - compose and send email; > - delete email. > > $ uname -a > Linux jupiter 6.6.77-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Feb 12 > 21:14:44 UTC 2025 x86_64 GNU/Linux > $ rpm -qa | grep neomutt | sort > neomutt-20241002-1.mga9 > neomutt-doc-20241002-1.mga9 Thank you for the test
CC: (none) => andrewsfarmWhiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0070.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED