-
mutt (1.13.2-1ubuntu0.6) focal-security; urgency=medium
* SECURITY UPDATE: null pointer dereference
- d/p/upstream/Fix-rfc2047-base64-decoding-to-abort-on-illegal-char.patch: Fix
rfc2047 base64 decoding to abort on illegal characters.
- d/p/upstream/Check-for-NULL-userhdrs.patch: Check for NULL userhdrs.
- d/p/upstream/Fix-write_one_header-illegal-header-check.patch: Fix
write_one_header() illegal header check.
- CVE-2023-4874
- CVE-2023-4875
-- Fabian Toepfer <email address hidden> Thu, 14 Sep 2023 17:12:08 +0200
-
mutt (1.13.2-1ubuntu0.5) focal-security; urgency=medium
* SECURITY UPDATE: OOB read
- debian/patches/CVE-2021-32055.patch: fix seqset iterator when
it ends in a comma in imap/util.c.
- CVE-2021-32055
* SECURITY UPDATE: Buffer overflow
- debian/patches/CVE-2022-1328.patch: Fix uudecode in handler.c.
- CVE-2022-1328
-- Leonidas Da Silva Barbosa <email address hidden> Tue, 19 Apr 2022 11:15:19 -0300
-
mutt (1.13.2-1ubuntu0.4) focal-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2021-3181-1.patch: Fix memory leak parsing group addresses without a display name
in rfc822.c.
- debian/patches/CVE-2021-3181-2.patch: Don't allocate a group terminator unless we are in a group-list
in rfc822.c.
- debian/patches/CVE-2021-3181-3.patch: Add group terminator if it is left
off in rfc822.c.
- CVE-2021-3181
-- Leonidas Da Silva Barbosa <email address hidden> Thu, 21 Jan 2021 13:04:42 -0300
-
mutt (1.13.2-1ubuntu0.3) focal-security; urgency=medium
* SECURITY UPDATE: Sensitive information exposed
- debian/patches/CVE-2020-28896.patch: Ensure IMAP connection is closed
after a connection error in imap/imap.c.
- CVE-2020-28896
-- <email address hidden> (Leonidas S. Barbosa) Tue, 24 Nov 2020 10:38:50 -0300
-
mutt (1.13.2-1ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: Man-in-the-middle attack
- debian/patches/CVE-2020-14954.patch: fix STARTTLS response injection
attack clearing the CONNECTION input buffer in mutt_ssl_starttls() in
mutt_socket.c, mutt_socket.h, mutt_ssl.c, mutt_ssl_gnutls.c.
- CVE-2020-14954
-- <email address hidden> (Leonidas S. Barbosa) Mon, 22 Jun 2020 14:46:34 -0300
-
mutt (1.13.2-1ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: Man-in-the-middle attack
- debian/patches/CVE-2020-14093.patch: prevent
possible IMAP MITM via PREAUTH response in imap/imap.c.
- CVE-2020-14093
* SECURITY UPDATE: Connection even if the user rejects an
expired intermediate certificate
- debian/patches/CVE-2020-14154-1.patch: fix GnuTLS tls_verify_peers()
checking in mutt_ssl_gnutls.c.
- debian/patches/CVE-2020-14154-2.patch: Abort GnuTLS certificate if a
cert in the chain is rejected in mutt_ssl_gnutls.c.
- debian/patches/CVE-2020-14154-3.patch: fix GnuTLS interactive prompt
short-circuiting in mutt_ssl_gnutls.c.
- CVE-2020-14154
-- <email address hidden> (Leonidas S. Barbosa) Wed, 17 Jun 2020 16:46:31 -0300
-
mutt (1.13.2-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
+ all patches refreshed.
-- Antonio Radici <email address hidden> Thu, 19 Dec 2019 07:00:56 +0100
-
mutt (1.13.0-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
+ all patches refreshed.
-- Antonio Radici <email address hidden> Thu, 12 Dec 2019 09:22:41 +0100
-
mutt (1.12.2-2) unstable; urgency=medium
* debian/control:
+ Standards-Version bumped to 4.4.1, no change required.
+ Added sensible-utils in Recommends due to /etc/Muttrc binaries which
were previously in debianutils.
-- Antonio Radici <email address hidden> Mon, 11 Nov 2019 06:35:33 +0100
-
mutt (1.12.2-1) unstable; urgency=medium
* New upstream release.
* debian/patches:
+ all patches refreshed.
+ debian-specific/467432-write_bcc.patch slightly modified to fit the new
function calls.
+ removed the following patches that are already upstream:
- upstream/905551-oauthbearer-imap.patch
- upstream/905551-oauthbearer-refresh.patch
- upstream/905551-oauthbearer-smtp.patch
- upstream/929017-atoi-undefined-behavior.patch
* debian/mutt.install: renamed pgpring to mutt_pgpring as per upstream name
change.
-- Antonio Radici <email address hidden> Fri, 25 Oct 2019 08:45:15 +0200
-
mutt (1.10.1-2.1) unstable; urgency=medium
* Non-maintainer upload.
* Apply patch from upstream to prevent undefined behaviour when
parsing invalid Content-Disposition mail headers. The atoi() function was
being called on a number which can potentially overflow and thus can have
security implications depending on the atoi() implementation.
(Closes: #929017)
-- Chris Lamb <email address hidden> Sat, 25 May 2019 09:57:12 +0100