UbuntuUpdates.org

Package "mutt"

Name: mutt

Description:

text-based mailreader supporting MIME, GPG, PGP and threading

Latest version: 1.13.2-1ubuntu0.6
Release: focal (20.04)
Level: security
Repository: main
Homepage: http://www.mutt.org/

Links


Download "mutt"


Other versions of "mutt" in Focal

Repository Area Version
base main 1.13.2-1
updates main 1.13.2-1ubuntu0.6

Changelog

Version: 1.13.2-1ubuntu0.6 2023-09-14 21:06:48 UTC

  mutt (1.13.2-1ubuntu0.6) focal-security; urgency=medium

  * SECURITY UPDATE: null pointer dereference
    - d/p/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch: Fix
      rfc2047 base64 decoding to abort on illegal characters.
    - d/p/upstream/Check-for-NULL-userhdrs.patch: Check for NULL userhdrs.
    - d/p/upstream/Fix-write_one_header-illegal-header-check.patch: Fix
      write_one_header() illegal header check.
    - CVE-2023-4874
    - CVE-2023-4875

 -- Fabian Toepfer <email address hidden> Thu, 14 Sep 2023 17:12:08 +0200

Source diff to previous version
CVE-2023-4874 Null pointer dereference when viewing a specially crafted email in Mutt >1.5.2 <2.2.12
CVE-2023-4875 Null pointer dereference when composing from a specially crafted draft message in Mutt >1.5.2 <2.2.12

Version: 1.13.2-1ubuntu0.5 2022-04-28 11:06:20 UTC

  mutt (1.13.2-1ubuntu0.5) focal-security; urgency=medium

  * SECURITY UPDATE: OOB read
    - debian/patches/CVE-2021-32055.patch: fix seqset iterator when
      it ends in a comma in imap/util.c.
    - CVE-2021-32055
  * SECURITY UPDATE: Buffer overflow
    - debian/patches/CVE-2022-1328.patch: Fix uudecode in handler.c.
    - CVE-2022-1328

 -- Leonidas Da Silva Barbosa <email address hidden> Tue, 19 Apr 2022 11:15:19 -0300

Source diff to previous version
CVE-2021-32055 Mutt 1.11.0 through 2.0.x before 2.0.7 (and NeoMutt 2019-10-25 through 2021-05-04) has a $imap_qresync issue in which imap/util.c has an out-of-bound
CVE-2022-1328 Buffer Overflow in uudecoder in Mutt affecting all versions starting from 0.94.13 before 2.2.3 allows read past end of input line

Version: 1.13.2-1ubuntu0.4 2021-01-25 16:06:19 UTC

  mutt (1.13.2-1ubuntu0.4) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service
    - debian/patches/CVE-2021-3181-1.patch: Fix memory leak parsing group addresses without a display name
      in rfc822.c.
    - debian/patches/CVE-2021-3181-2.patch: Don't allocate a group terminator unless we are in a group-list
      in rfc822.c.
    - debian/patches/CVE-2021-3181-3.patch: Add group terminator if it is left
      off in rfc822.c.
    - CVE-2021-3181

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 21 Jan 2021 13:04:42 -0300

Source diff to previous version
CVE-2021-3181 rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of service (mailbox unavailability) by sending email messages with sequences

Version: 1.13.2-1ubuntu0.3 2020-11-25 16:07:29 UTC

  mutt (1.13.2-1ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: Sensitive information exposed
    - debian/patches/CVE-2020-28896.patch: Ensure IMAP connection is closed
      after a connection error in imap/imap.c.
    - CVE-2020-28896

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 24 Nov 2020 10:38:50 -0300

Source diff to previous version
CVE-2020-28896 Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was inva

Version: 1.13.2-1ubuntu0.2 2020-06-24 18:07:10 UTC

  mutt (1.13.2-1ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Man-in-the-middle attack
    - debian/patches/CVE-2020-14954.patch: fix STARTTLS response injection
      attack clearing the CONNECTION input buffer in mutt_ssl_starttls() in
      mutt_socket.c, mutt_socket.h, mutt_ssl.c, mutt_ssl_gnutls.c.
    - CVE-2020-14954

 -- <email address hidden> (Leonidas S. Barbosa) Mon, 22 Jun 2020 14:46:34 -0300

CVE-2020-14954 Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS"



About   -   Send Feedback to @ubuntu_updates