UbuntuUpdates.org

Package "mutt"

Name: mutt

Description:

text-based mailreader supporting MIME, GPG, PGP and threading
Latest version: 1.5.24-1ubuntu0.4
Release: xenial (16.04)
Level: updates
Repository: main
Homepage: http://www.mutt.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "mutt"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "mutt" in Xenial

Repository Area Version
base universe 1.5.24-1build1
base main 1.5.24-1build1
security universe 1.5.24-1ubuntu0.4
security main 1.5.24-1ubuntu0.4
updates universe 1.5.24-1ubuntu0.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 1.5.24-1ubuntu0.4 2020-06-24 21:06:35 UTC

  mutt (1.5.24-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY UPDATE: Man-in-the-middle attack
    - debian/patches/CVE-2020-14954.patch: fix STARTTLS response injection
      attack clearing the CONNECTION input buffer in mutt_ssl_starttls() in
      mutt_socket.c, mutt_socket.h, mutt_ssl.c, mutt_ssl_gnutls.c.
    - CVE-2020-14954
  * Redoing patch CVE-2020-14154-1, that causes a possibly regression (LP: #1884588)

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 22 Jun 2020 17:26:12 -0300
Source diff to previous version
1884588 Certificate problems sending mail
CVE-2020-14954 Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS"
CVE-2020-14154 Mutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certifica

Version: 1.5.24-1ubuntu0.3 2020-06-22 19:07:19 UTC

  mutt (1.5.24-1ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Man-in-the-middle attack
    - debian/patches/CVE-2020-14093.patch: prevent
      possible IMAP MITM via PREAUTH response in imap/imap.c.
    - CVE-2020-14093
  * SECURITY UPDATE: Connection even if the user rejects an
    expired intermediate certificate
    - debian/patches/CVE-2020-14154-1.patch: fix GnuTLS tls_verify_peers()
      checking in mutt_ssl_gnutls.c.
    - debian/patches/CVE-2020-14154-2.patch: Abort GnuTLS certificate if a
      cert in the chain is rejected in mutt_ssl_gnutls.c.
    - debian/patches/CVE-2020-14154-3.patch: fix GnuTLS interactive prompt
      short-circuiting in mutt_ssl_gnutls.c.
    - CVE-2020-14154

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 18 Jun 2020 10:02:48 -0300
Source diff to previous version
CVE-2020-14093 Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response.
CVE-2020-14154 Mutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certifica

Version: 1.5.24-1ubuntu0.2 2018-09-28 01:06:43 UTC

  mutt (1.5.24-1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: apply all fixes to both mutt and mutt-patched
    - debian/patches/series: re-order patch application (LP: #1794278)

 -- Steve Beattie <email address hidden> Wed, 26 Sep 2018 12:43:56 -0700
Source diff to previous version
1794278 Security patches not applied to xenial mutt

Version: 1.5.24-1ubuntu0.1 2018-07-23 16:06:37 UTC

  mutt (1.5.24-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Mishandles a NO response without a msg
    - debian/patches/ubuntu/mutt-CVE-2018-14349.patch: fix in
      imap/command.c.
    - CVE-2018-14349
  * SECURITY UPDATE: Stack-based buffer overflow
    - debian/patches/ubuntu/mutt-CVE-2018-14350-CVE-2018-14358.patch:
      fix in imap/message.c.
    - CVE-2018-14350
    - CVE-2018-14358
  * SECURITY UPDATE: Mishandles a long IMAP status
    - debian/patches/ubuntu/mutt-CVE-2018-14351.patch: fix in
      imap/command.c.
    - CVE-2018-14351
  * SECURITY UPDATE: Integer underflow and stack-based buffer overflow
    - debian/patches/ubuntu/mutt-CVE-2018-14352-CVE-2018-14353.patch:
      fix in imap/util.c.
    - CVE-2018-14352
    - CVE-2018-14353
  * SECURITY UPDATE: Remote arbitrary code execution
    - debian/patches/ubuntu/mutt-CVE-2018-14354-CVE-2018-14357.patch:
      fix in imap/command.c, imap/imap.c, imap/imap_private.h, imap/util.c.
    - CVE-2018-14354
    - CVE-2018-14357
  * SECURITY UPDATE: Directory traversal
    - debian/patches/ubuntu/mutt-CVE-2018-14355.patch: fix in
      imap/util.c.
    - CVE-2018-14355
  * SECURITY UPDATE: Mishandles a zero-lenght UID
    - debian/patches/ubuntu/mutt-CVE-2018-14356.patch: fix in
      pop.c.
    - CVE-2018-14356
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/ubuntu/mutt-CVE-2018-14359.patch: fix in
      base64.c, imap/auth_cram.c, imap/auth_gss.c, protos.h.
    - CVE-2018-14359
  * SECURITY UPDATE: Unsafe character interactions
    - debian/patches/ubuntu/mutt-CVE-2018-14362.patch: fix in
      pop.c.
    - CVE-2018-14362

 -- <email address hidden> (Leonidas S. Barbosa) Thu, 19 Jul 2018 10:31:16 -0300
CVE-2018-14349 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a NO response without a message.
CVE-2018-14350 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response wi
CVE-2018-14358 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/message.c has a stack-based buffer overflow for a FETCH response wi
CVE-2018-14351 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/command.c mishandles a long IMAP status mailbox literal count size.
CVE-2018-14352 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c does not leave room for quote character
CVE-2018-14353 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c has an integer underflow.
CVE-2018-14354 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquo
CVE-2018-14357 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquo
CVE-2018-14355 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap/util.c mishandles ".." directory traversal in a mailbox name.
CVE-2018-14356 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c mishandles a zero-length UID.
CVE-2018-14359 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They have a buffer overflow via base64 data.
CVE-2018-14362 An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c does not forbid characters that may have unsafe interaction with m


About   -   Send Feedback to @ubuntu_updates