Hi Antonio, On Sun, Sep 10, 2023 at 01:05:31PM +0200, Antonio Radici wrote: > On Sat, Sep 09, 2023 at 10:23:32PM +0200, Salvatore Bonaccorso wrote: > > Source: mutt > > Version: 2.2.9-1 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerabilities were published for mutt. > > > > CVE-2023-4874[0]: > > | Null pointer dereference when viewing a specially crafted email in > > | Mutt >1.5.2 <2.2.12 > > > > > > CVE-2023-4875[1]: > > | Null pointer dereference when composing from a specially crafted > > | draft message in Mutt >1.5.2 <2.2.12 > > > > Make sure to include all three commits referenced from [2], the last > > one is technically not part of the two CVEs, but another crash found > > by upstream. > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-4874 > > https://www.cve.org/CVERecord?id=CVE-2023-4874 > > [1] https://security-tracker.debian.org/tracker/CVE-2023-4875 > > https://www.cve.org/CVERecord?id=CVE-2023-4875 > > [2] > > http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/000056.html > > > > Please adjust the affected versions in the BTS as needed. > > Thanks for raising this, I'm uploading the new packages with the fixes today.
FWIW, I have done the bookworm-security upload already to security-master, and still working on the bullseye-security one (with plan to release the DSA tonight ideally). Regards, Salvatore