Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
Hello folks,
in mutt/1.10.1-2.1+deb10u2 a security CVE was fixed yet it introduced a
regression (bugs.debian.org/963970); I discussed with the security team whether
to push another DSA to fix the regression, but given the scope it was decided
that the best place for that is the next point release.
I've attached the debdiff to this mail and done the upload for buster.
Let me know if there is anything else that I should do.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8),
LANGUAGE=en_IE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru mutt-1.10.1/debian/changelog mutt-1.10.1/debian/changelog
--- mutt-1.10.1/debian/changelog 2020-06-19 06:55:35.000000000 +0200
+++ mutt-1.10.1/debian/changelog 2020-07-02 16:45:23.000000000 +0200
@@ -1,3 +1,11 @@
+mutt (1.10.1-2.1+deb10u3) buster; urgency=medium
+
+ * debian/patches:
+ + added imap-preauth-and-ssh-tunnel.patch from upstream, which does not
+ check IMAP preauth in SSH tunnels (Closes: 963970)
+
+ -- Antonio Radici <anto...@debian.org> Thu, 02 Jul 2020 16:45:23 +0200
+
mutt (1.10.1-2.1+deb10u2) buster-security; urgency=high
* debian/patches:
diff -Nru mutt-1.10.1/debian/patches/series mutt-1.10.1/debian/patches/series
--- mutt-1.10.1/debian/patches/series 2020-06-19 06:55:20.000000000 +0200
+++ mutt-1.10.1/debian/patches/series 2020-07-02 16:44:08.000000000 +0200
@@ -16,3 +16,4 @@
security/CVE-2020-14093.patch
security/CVE-2020-14154.patch
security/CVE-not-yet-released.patch
+upstream/imap-preauth-and-ssh-tunnel.patch
diff -Nru mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch
mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch
--- mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch
1970-01-01 01:00:00.000000000 +0100
+++ mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch
2020-07-02 16:45:23.000000000 +0200
@@ -0,0 +1,25 @@
+From dc909119b3433a84290f0095c0f43a23b98b3748 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <ke...@8t8.us>
+Date: Sat, 20 Jun 2020 06:35:35 -0700
+Subject: [PATCH] Don't check IMAP PREAUTH encryption if $tunnel is in use.
+
+$tunnel is used to create an external encrypted connection. The
+default of $ssl_starttls is yes, meaning those kinds of connections
+will be broken by the CVE-2020-14093 fix.
+---
+ imap/imap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/imap/imap.c
++++ b/imap/imap.c
+@@ -495,8 +495,8 @@
+ {
+ #if defined(USE_SSL)
+ /* An unencrypted PREAUTH response is most likely a MITM attack.
+- * Require a confirmation. */
+- if (!idata->conn->ssf)
++ * Require a confirmation unless using $tunnel. */
++ if (!idata->conn->ssf && !Tunnel)
+ {
+ if (option(OPTSSLFORCETLS) ||
+ (query_quadoption (OPT_SSLSTARTTLS,
