On Tue, Apr 21, 2026 at 10:28:02AM +0800, Kevin J. McCarthy wrote: > On Sat, Apr 18, 2026 at 09:27:59PM +0800, Kevin J. McCarthy wrote: > > On Sat, Apr 18, 2026 at 02:14:53PM +0200, evilrabbit via Mutt-dev wrote: > > > Please find below a number of confirmed security findings in the mutt > > > client. > > > None of these are significant but should probably be addressed. > > > > Thanks, I will start taking a look at these tomorrow. > > Just to summarize the state for everyone. > > Fixes commited to stable: > > ### 1. NULL Dereference in Signature Verification (MEDIUM) > > ### 2. Infinite Loop on GPGME Read Error (MEDIUM) > > ### 5. CRAM-MD5 HMAC Weakening (MEDIUM, Conditional) > > ### 6. GSSAPI Buffer Underflow (MEDIUM, Conditional) > > ### 7. URL %00 Truncation (LOW-MEDIUM) > > Fixes commmited to master: > > ### 8. TLS Certificate CN Fallback (LOW-MEDIUM) > > Won't fix: > > ### 3. POP3 Unbounded Memory Growth (MEDIUM) > > Still to discuss/think about: > > ### 4. MIME Boundary Predictability (MEDIUM) > > I'll make a stable release in the next week or two. > > If anyone has comments about #4, I'd appreciate feedback. The email > suggested perhaps ChaCha20 instead of LFSR113 PRNG. I don't think the > situation is as dire as the "attack" suggests, but if the PRNG really sucks > that badly, we shouldn't be using it.
Why not use the platform-specific random number generator, and if that is not present, fall back to what we have today? That way real platforms will be fine, and you don't have to add your own random number logic to the program, as it shouldn't be needed. thanks, greg k-h
