[ASA-202011-24] neomutt: silent downgrade
Arch Linux Security Advisory ASA-202011-24 ========================================== Severity: High Date : 2020-11-26 CVE-ID : CVE-2020-28896 Package : neomutt Type : silent downgrade Remote : Yes Link : https://security.archlinux.org/AVG-1289 Summary ======= The package neomutt before version 20201120-1 is vulnerable to silent downgrade. Resolution ========== Upgrade to 20201120-1. # pacman -Syu "neomutt>=20201120-1" The problem has been fixed upstream in version 20201120. Workaround ========== None. Description =========== A security issue has been found in Mutt before version 2.0.2 and NeoMutt before version 20201120 that could result in authentication credentials being sent over an unencrypted connection, without $ssl_force_tls being consulted. During connection, if the server provided an illegal initial response, the application "bailed", but did not actually close the connection. The calling code relied on the connection status to decide to continue with authentication, instead of checking the "bail" return value. Impact ====== An attacker in position of man-in-the-middle might be able to intercept and alter messages between the e-mail client and the server. References ========== http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20201116/002134.html https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-Novembe... https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756eb... https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec811... https://security.archlinux.org/CVE-2020-28896
participants (1)
-
Morten Linderud