On Thu, Jun 18, 2020 at 10:41:37PM -0700, Josh Triplett wrote:
> Package: mutt
> Version: 1.14.3-1
> Severity: important
> "important" because it makes a previously working configuration
> unusable.
> The fix for CVE-2020-14093 makes it so that when using a
> preauthenticated connection (using `set tunnel` to SSH to the IMAP
> server), mutt just prints "Encrypted connection unavailable" and refuses
> the connection. An strace shows that mutt successfully runs SSH and gets
> the preauthenticated IMAP connection.
> I do not have any ssl-related options set. Best guess: the default
> ssl_starttls=yes makes mutt think it should starttls over preauth, which
> it now avoids due to the CVE.

I can confirm that setting ssl_starttls=no allows preauthenticated IMAP
connections using `set tunnel` to work again.

Reply via email to