Mandriva has issued this advisory today (April 2): http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:048 Both Mageia 1 and Cauldron are affected.
Blocks: (none) => 5046
Assignee: bugsquad => shikamaru
Assignee: shikamaru => jquelin
upstream bug: http://dev.mutt.org/trac/ticket/3506 patched on cauldron, freeze push requested. mutt-1.5.21-3.3.mga1 available in mga1 core/updates_testing ==> qa, please test & push to core/updates
CC: (none) => jquelinAssignee: jquelin => qa-bugs
Advisory: ======================== Updated mutt packages fix security vulnerability: Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766 (CVE-2011-1429). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1429 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:048 ======================== Updated packages in core/updates_testing: ======================== mutt-1.5.21-3.3.mga1 mutt-doc-1.5.21-3.3.mga1 mutt-utf8-1.5.21-3.3.mga1 from mutt-1.5.21-3.3.mga1.src.rpm
(In reply to comment #1) > upstream bug: http://dev.mutt.org/trac/ticket/3506 > > patched on cauldron, freeze push requested. Jerome, about Cauldron, Nicolas Vigier had this to say: "As the version didn't change and we are not yet in release freeze, you should be able to submit yourself."
I haven't used mutt before. In all of the .mutrc examples I've seen, the user name is specified as set imap_user = "yourusername@gmail.com" In testing connections to my own cyrus-imapd server, I found I had to specify set imap_user =dave@hodgins.homeip.net without the quotes. Same with the imap_pass. According to the muttrc man page, the quoting should be allowed. I'll test with the prior version, to see if this is a regression or not.
CC: (none) => davidwhodgins
Figured out the problem. The config I'd copied from a web site had the open/closeing double quotes instead of regular double qoutes. I've now successfully retrieved and sent email. Testing complete on i586 for the srpm mutt-1.5.21-3.3.mga1.src.rpm
pushed in cauldron too.
Blocks: 5046 => (none)
Ping. We still need x86-64 testing for this security update.
Update validated on x86_64 Could sysadmin please push mutt-1.5.21-3.3.mga1.src.rpm from core/updates_testing to core/updates Advisory: ======================== Updated mutt packages fix security vulnerability: Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766 (CVE-2011-1429). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1429 http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:048 ========================
Keywords: (none) => validated_updateCC: (none) => derekjenn, sysadmin-bugs
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED