Headline
CVE-2020-14154: mutt 1.14.3 released
Mutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate.
Kevin J. McCarthy kevin at 8t8.us
Sun Jun 14 22:05:29 UTC 2020
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Mutt Users,
I’ve just released version 1.14.3. Instructions for downloading are available at http://www.mutt.org/download.html\, or the tarball can be directly downloaded from http://ftp.mutt.org/pub/mutt/\. Please take the time to verify the signature file against my public key.
This is an important security release fixing two issues.
The first is a possible IMAP man-in-the-middle attack. No credentials are exposed, but could result in unintended emails being “saved” to an attacker’s server. The $ssl_starttls quadoption is now used to check for an unencrypted PREAUTH response from the server.
Thanks very much to Damian Poddebniak and Fabian Ising from the Münster University of Applied Sciences for reporting this issue, and their help in testing the fix.
The second fix is for a problem with GnuTLS certificate prompting. “Rejecting” an expired intermediate cert did not terminate the connection. Thanks to @henk on IRC for reporting the issue.
-Kevin -------------- next part -------------- A non-text attachment was scrubbed… Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: http://lists.mutt.org/pipermail/mutt-announce/attachments/20200614/b31d9198/attachment.asc\
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Mutt-announce mailing list