On Fri, Jun 19, 2020 at 04:04:37PM -0700, Josh Triplett wrote:
> On Thu, Jun 18, 2020 at 10:41:37PM -0700, Josh Triplett wrote:
> > Package: mutt
> > Version: 1.14.3-1
> > Severity: important
> > 
> > "important" because it makes a previously working configuration
> > unusable.
> > 
> > The fix for CVE-2020-14093 makes it so that when using a
> > preauthenticated connection (using `set tunnel` to SSH to the IMAP
> > server), mutt just prints "Encrypted connection unavailable" and refuses
> > the connection. An strace shows that mutt successfully runs SSH and gets
> > the preauthenticated IMAP connection.
> > 
> > I do not have any ssl-related options set. Best guess: the default
> > ssl_starttls=yes makes mutt think it should starttls over preauth, which
> > it now avoids due to the CVE.
> 
> I can confirm that setting ssl_starttls=no allows preauthenticated IMAP
> connections using `set tunnel` to work again.
> 

Created issue https://gitlab.com/muttmua/mutt/-/issues/250

Reply via email to