This bug was fixed in the package mutt - 1.5.24-1ubuntu0.2 --------------- mutt (1.5.24-1ubuntu0.2) xenial-security; urgency=medium
* SECURITY UPDATE: apply all fixes to both mutt and mutt-patched - debian/patches/series: re-order patch application (LP: #1794278) -- Steve Beattie <sbeat...@ubuntu.com> Wed, 26 Sep 2018 12:43:56 -0700 ** Changed in: mutt (Ubuntu Xenial) Status: Triaged => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1794278 Title: Security patches not applied to xenial mutt Status in mutt package in Ubuntu: Fix Released Status in mutt source package in Xenial: Fix Released Bug description: Hi, The version of mutt in 16.04 LTS (1.5.24-1ubuntu0.1) seems to be missing all ubuntu supplied security patches. In particular, the following list: ubuntu/mutt-CVE-2018-14349.patch ubuntu/mutt-CVE-2018-14350-CVE-2018-14358.patch ubuntu/mutt-CVE-2018-14351.patch ubuntu/mutt-CVE-2018-14352-CVE-2018-14353.patch ubuntu/mutt-CVE-2018-14354-CVE-2018-14357.patch ubuntu/mutt-CVE-2018-14355.patch ubuntu/mutt-CVE-2018-14356.patch ubuntu/mutt-CVE-2018-14359.patch ubuntu/mutt-CVE-2018-14362.patch ...is NOT applied to the standard mutt version, only to the "enhanced" version. Output of mutt -v shows the list of applied patches (see bottom): Mutt 1.5.24 (2015-08-30) Copyright (C) 1996-2009 Michael R. Elkins and others. Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'. Mutt is free software, and you are welcome to redistribute it under certain conditions; type `mutt -vv' for details. System: Linux 4.15.0-35-generic (x86_64) ncurses: ncurses 6.0.20160213 (compiled with 6.0) libidn: 1.32 (compiled with 1.32) hcache backend: tokyocabinet 1.4.48 Compiler: Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/5/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Ubuntu 5.4.0-6ubuntu1~16.04.10' --with-bugurl=file:///usr/share/doc/gcc-5/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-5 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-5-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-5-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-5-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) Configure options: '--prefix=/usr' '--sysconfdir=/etc' '-- mandir=/usr/share/man' '--with-docdir=/usr/share/doc' '--with- mailpath=/var/mail' '--disable-dependency-tracking' '--enable- compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache' '--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop' '--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with- mixmaster' '--with-sasl' '--without-gdbm' '--without-bdb' '--without- qdbm' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format- security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/qdbm' Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat -Werror =format-security -Wall Compile options: -DOMAIN +DEBUG -HOMESPOOL +USE_SETGID +USE_DOTLOCK +DL_STANDALONE +USE_FCNTL -USE_FLOCK +USE_POP +USE_IMAP +USE_SMTP -USE_SSL_OPENSSL +USE_SSL_GNUTLS +USE_SASL +USE_GSS +HAVE_GETADDRINFO +HAVE_REGCOMP -USE_GNU_REGEX +HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET +HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM +CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME -EXACT_ADDRESS -SUN_ATTACHMENT +ENABLE_NLS -LOCALES_HACK +COMPRESSED +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR +HAVE_ICONV -ICONV_NONTRANS +HAVE_LIBIDN +HAVE_GETSID +USE_HCACHE -ISPELL SENDMAIL="/usr/sbin/sendmail" MAILPATH="/var/mail" PKGDATADIR="/usr/share/mutt" SYSCONFDIR="/etc" EXECSHELL="/bin/sh" MIXMASTER="mixmaster" To contact the developers, please mail to <mutt-...@mutt.org>. To report a bug, please visit http://bugs.mutt.org/. misc/am-maintainer-mode.patch features/ifdef.patch features/trash-folder.patch features/purge-message.patch features/imap_fast_trash.patch features/sensible_browser_position.patch features/compressed-folders.patch features/compressed-folders.debian.patch debian-specific/Muttrc.patch debian-specific/Md.etc_mailname_gethostbyname.patch debian-specific/use_usr_bin_editor.patch debian-specific/correct_docdir_in_man_page.patch debian-specific/dont_document_not_present_features.patch debian-specific/document_debian_defaults.patch debian-specific/assumed_charset-compat.patch debian-specific/467432-write_bcc.patch debian-specific/566076-build_doc_adjustments.patch misc/define-pgp_getkeys_command.patch misc/gpg.rc-paths.patch misc/smime.rc.patch misc/fix-configure-test-operator.patch upstream/531430-imapuser.patch upstream/543467-thread-segfault.patch upstream/548577-gpgme-1.2.patch upstream/553321-ansi-escape-segfault.patch upstream/528233-readonly-open.patch upstream/228671-pipe-mime.patch upstream/383769-score-match.patch upstream/603288-split-fetches.patch upstream/611410-no-implicit_autoview-for-text-html.patch upstream/771125-CVE-2014-9116-jessie.patch upstream/path_max.patch translations/update_german_translation.patch __separator__mutt.org.patch It would appear that the maintainer who applied the security patches was insufficiently aware of the hack used to generate the normal and patched versions of the package. cheers, Wessel Dankers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mutt/+bug/1794278/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp