[manjaro-security] [ASA-202011-24] neomutt: silent downgrade
foxboron at archlinux.org
Sat Dec 5 15:27:45 CET 2020
Arch Linux Security Advisory ASA-202011-24
Date : 2020-11-26
CVE-ID : CVE-2020-28896
Package : neomutt
Type : silent downgrade
Remote : Yes
Link : https://security.archlinux.org/AVG-1289
The package neomutt before version 20201120-1 is vulnerable to silent
Upgrade to 20201120-1.
# pacman -Syu "neomutt>=20201120-1"
The problem has been fixed upstream in version 20201120.
A security issue has been found in Mutt before version 2.0.2 and
NeoMutt before version 20201120 that could result in authentication
credentials being sent over an unencrypted connection, without
$ssl_force_tls being consulted. During connection, if the server
provided an illegal initial response, the application "bailed", but did
not actually close the connection. The calling code relied on the
connection status to decide to continue with authentication, instead of
checking the "bail" return value.
An attacker in position of man-in-the-middle might be able to intercept
and alter messages between the e-mail client and the server.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the manjaro-security