Arch Linux alert ASA-202011-25 (mutt)
| From: | Morten Linderud <foxboron@archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-202011-25] mutt: silent downgrade | |
| Date: | Sat, 05 Dec 2020 15:27:52 +0100 | |
| Message-ID: | <20201205142752.wa6r7lhedlo6ogmo@anathema> |
Arch Linux Security Advisory ASA-202011-25 ========================================== Severity: High Date : 2020-11-26 CVE-ID : CVE-2020-28896 Package : mutt Type : silent downgrade Remote : Yes Link : https://security.archlinux.org/AVG-1288 Summary ======= The package mutt before version 2.0.2-1 is vulnerable to silent downgrade. Resolution ========== Upgrade to 2.0.2-1. # pacman -Syu "mutt>=2.0.2-1" The problem has been fixed upstream in version 2.0.2. Workaround ========== None. Description =========== A security issue has been found in Mutt before version 2.0.2 and NeoMutt before version 20201120 that could result in authentication credentials being sent over an unencrypted connection, without $ssl_force_tls being consulted. During connection, if the server provided an illegal initial response, the application "bailed", but did not actually close the connection. The calling code relied on the connection status to decide to continue with authentication, instead of checking the "bail" return value. Impact ====== An attacker in position of man-in-the-middle might be able to intercept and alter messages between the e-mail client and the server. References ========== http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20... https://mailman.neomutt.org/pipermail/neomutt-users-neomu... https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc002... https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f... https://security.archlinux.org/CVE-2020-28896