Bugzilla – Bug 1172906
VUL-0: CVE-2020-14154: mutt,neomutt: expired certs not properly rejected with GnuTLS
Last modified: 2021-08-23 13:53:10 UTC
Announced by upstream. No CVEs AFAICS I've just released version 1.14.3. Instructions for downloading are available at <http://www.mutt.org/download.html>, or the tarball can be directly downloaded from <http://ftp.mutt.org/pub/mutt/>. Please take the time to verify the signature file against my public key. This is an important security release fixing two issues. The first is a possible IMAP man-in-the-middle attack. No credentials are exposed, but could result in unintended emails being "saved" to an attacker's server. The $ssl_starttls quadoption is now used to check for an unencrypted PREAUTH response from the server. Thanks very much to Damian Poddebniak and Fabian Ising from the Münster University of Applied Sciences for reporting this issue, and their help in testing the fix. The second fix is for a problem with GnuTLS certificate prompting. "Rejecting" an expired intermediate cert did not terminate the connection. Thanks to @henk on IRC for reporting the issue.
*** Bug 1172935 has been marked as a duplicate of this bug. ***
CVE-2020-14093 Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle attack via a PREAUTH response. STARTTLS is not allowed in the Authenticated state, so previously Mutt would implicitly mark the connection as authenticated and skip any encryption checking/enabling. No credentials are exposed, but it does allow messages to be sent to an attacker, via postpone or fcc'ing for instance. References: https://gitlab.com/muttmua/mutt/-/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14093
SUSE:SLE-10-SP3:Update mutt Affected SUSE:SLE-11:Update mutt Affected SUSE:SLE-12:Update mutt Affected SUSE:SLE-15:Update mutt Affected
CVE-2020-14154 Mutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14154 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14154 http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html
The submits have to be tested to make sure that SSL/TLS is still working
(In reply to Dr. Werner Fink from comment #13) > The submits have to be tested to make sure that SSL/TLS is still working With the update SSL/TLS does not work, with ssl_starttls = yes possible problem line 181 in mutt-1.10.1-backport-mutt_ssl_gnutls-1.14.3.diff # echo -e "Hello,\nthis is message from admin." | mutt -s "Hello from openQA" -- nimda@localhost gnutls_priority_set_direct(֦!�NORMAL:-VERS-TLS1.1:-VERS-TLS1.0:-VERS-SSL3.0): The request is invalid. Could not negotiate TLS connection Could not send the message.
I think this part of the patch should not have been removed: +- priority[0] = 0; I think this removed line causes the weird characters in front of the string
(In reply to Marcus Meissner from comment #16) > I think this part of the patch should not have been removed: > > +- priority[0] = 0; > > I think this removed line causes the weird characters in front of the string Thanks for spotting!(In reply to Marcus Meissner from comment #16)
This is an autogenerated message for OBS integration: This bug (1172906) was mentioned in https://build.opensuse.org/request/show/816866 Factory / mutt
SUSE-SU-2020:1771-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1172906,1172935,1173197 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): mutt-1.10.1-3.8.1 SUSE Linux Enterprise Server 15-LTSS (src): mutt-1.10.1-3.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): mutt-1.10.1-3.8.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): mutt-1.10.1-3.8.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): mutt-1.10.1-3.8.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): mutt-1.10.1-3.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:1794-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1172906,1172935,1173197 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954 Sources used: SUSE OpenStack Cloud Crowbar 8 (src): mutt-1.10.1-55.11.1 SUSE OpenStack Cloud 8 (src): mutt-1.10.1-55.11.1 SUSE OpenStack Cloud 7 (src): mutt-1.10.1-55.11.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): mutt-1.10.1-55.11.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): mutt-1.10.1-55.11.1 SUSE Linux Enterprise Server 12-SP5 (src): mutt-1.10.1-55.11.1 SUSE Linux Enterprise Server 12-SP4 (src): mutt-1.10.1-55.11.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): mutt-1.10.1-55.11.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): mutt-1.10.1-55.11.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): mutt-1.10.1-55.11.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): mutt-1.10.1-55.11.1 SUSE Enterprise Storage 5 (src): mutt-1.10.1-55.11.1 HPE Helion Openstack 8 (src): mutt-1.10.1-55.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0915-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1172906,1172935,1173197 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954 Sources used: openSUSE Leap 15.2 (src): mutt-1.10.1-lp152.3.3.1
SUSE-SU-2020:14414-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1172906,1172935,1173197 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954 Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): mutt-1.5.17-42.51.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): mutt-1.5.17-42.51.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): mutt-1.5.17-42.51.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): mutt-1.5.17-42.51.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done
These did not get fixed for neomutt
This is an autogenerated message for OBS integration: This bug (1172906) was mentioned in https://build.opensuse.org/request/show/850817 15.1+15.2 / neomutt
openSUSE-SU-2020:2127-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1172906,1172935,1173197,1179035,1179113 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896 JIRA References: Sources used: openSUSE Leap 15.2 (src): neomutt-20201120-lp152.2.3.1 openSUSE Leap 15.1 (src): neomutt-20201120-lp151.2.3.1
openSUSE-SU-2020:2157-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1172906,1172935,1173197,1179035,1179113 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896 JIRA References: Sources used: openSUSE Backports SLE-15-SP1 (src): neomutt-20201120-bp151.3.3.1
openSUSE-SU-2020:2158-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1172906,1172935,1173197,1179035,1179113 CVE References: CVE-2020-14093,CVE-2020-14154,CVE-2020-14954,CVE-2020-28896 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): neomutt-20201120-bp152.2.3.1
released