Security update for mutt SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0903-1 Final 1 1 2020-06-29T10:17:03Z current 2020-06-29T10:17:03Z 2020-06-29T10:17:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mutt This update for mutt fixes the following issues: - CVE-2020-14954: Fixed a response injection due to a STARTTLS buffering issue which was affecting IMAP, SMTP, and POP3 (bsc#1173197). - CVE-2020-14093: Fixed a potential IMAP Man-in-the-Middle attack via a PREAUTH response (bsc#1172906, bsc#1172935). - CVE-2020-14154: Fixed an issue where Mutt was ignoring an expired certificate and was proceeding with a connection (bsc#1172906, bsc#1172935). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-903 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VMKWM3Q7YV5QZYXLMV7ZD4C7U3TIC47V/ E-Mail link for openSUSE-SU-2020:0903-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1172906 SUSE Bug 1172906 https://bugzilla.suse.com/1172935 SUSE Bug 1172935 https://bugzilla.suse.com/1173197 SUSE Bug 1173197 https://www.suse.com/security/cve/CVE-2020-14093/ SUSE CVE CVE-2020-14093 page https://www.suse.com/security/cve/CVE-2020-14154/ SUSE CVE CVE-2020-14154 page https://www.suse.com/security/cve/CVE-2020-14954/ SUSE CVE CVE-2020-14954 page openSUSE Leap 15.1 mutt-1.10.1-lp151.2.3.1 mutt-doc-1.10.1-lp151.2.3.1 mutt-lang-1.10.1-lp151.2.3.1 mutt-1.10.1-lp151.2.3.1 as a component of openSUSE Leap 15.1 mutt-doc-1.10.1-lp151.2.3.1 as a component of openSUSE Leap 15.1 mutt-lang-1.10.1-lp151.2.3.1 as a component of openSUSE Leap 15.1 Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. CVE-2020-14093 openSUSE Leap 15.1:mutt-1.10.1-lp151.2.3.1 openSUSE Leap 15.1:mutt-doc-1.10.1-lp151.2.3.1 openSUSE Leap 15.1:mutt-lang-1.10.1-lp151.2.3.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VMKWM3Q7YV5QZYXLMV7ZD4C7U3TIC47V/ https://www.suse.com/security/cve/CVE-2020-14093.html CVE-2020-14093 https://bugzilla.suse.com/1172906 SUSE Bug 1172906 https://bugzilla.suse.com/1172935 SUSE Bug 1172935 Mutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate. CVE-2020-14154 openSUSE Leap 15.1:mutt-1.10.1-lp151.2.3.1 openSUSE Leap 15.1:mutt-doc-1.10.1-lp151.2.3.1 openSUSE Leap 15.1:mutt-lang-1.10.1-lp151.2.3.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VMKWM3Q7YV5QZYXLMV7ZD4C7U3TIC47V/ https://www.suse.com/security/cve/CVE-2020-14154.html CVE-2020-14154 https://bugzilla.suse.com/1172906 SUSE Bug 1172906 https://bugzilla.suse.com/1172935 SUSE Bug 1172935 Mutt before 1.14.4 and NeoMutt before 2020-06-19 have a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the client reads additional data (e.g., from a man-in-the-middle attacker) and evaluates it in a TLS context, aka "response injection." CVE-2020-14954 openSUSE Leap 15.1:mutt-1.10.1-lp151.2.3.1 openSUSE Leap 15.1:mutt-doc-1.10.1-lp151.2.3.1 openSUSE Leap 15.1:mutt-lang-1.10.1-lp151.2.3.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VMKWM3Q7YV5QZYXLMV7ZD4C7U3TIC47V/ https://www.suse.com/security/cve/CVE-2020-14954.html CVE-2020-14954 https://bugzilla.suse.com/1173197 SUSE Bug 1173197