Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2195
FreeBSD - MitM response injection attack when using STARTTLS
with IMAP, POP3, and SMTP
25 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mutt
Publisher: FreeBSD
Operating System: FreeBSD
Impact/Access: Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-14954 CVE-2020-14093
Reference: ESB-2020.2142
ESB-2020.2194
Original Bulletin:
https://www.vuxml.org/freebsd/29b13a34-b1d2-11ea-a11c-4437e6ad11c4.html
https://www.vuxml.org/freebsd/5b397852-b1d0-11ea-a11c-4437e6ad11c4.html
Comment: This bulletin contains two (2) FreeBSD security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Machine-in-the-middle response injection attack when using STARTTLS with IMAP,
POP3, and SMTP
Affected packages
mutt <= 1.14.3
Details
VuXML ID 29b13a34-b1d2-11ea-a11c-4437e6ad11c4
Discovery 2020-06-16
Entry 2020-06-24
mutt 1.14.4 updates:
CVE-2020-14954 - Machine-in-the-middle response injection attack when using
STARTTLS with IMAP, POP3, and SMTP
https://gitlab.com/muttmua/mutt/-/commit/c547433cdf2e79191b15c6932c57f1472bfb5ff4
References
CVE CVE-2020-14954
Name
URL https://gitlab.com/muttmua/mutt/-/commit/
c547433cdf2e79191b15c6932c57f1472bfb5ff4
- -------------------------------------------------------------------------------
IMAP fcc/postpone machine-in-the-middle attack
Affected packages
mutt <= 1.14.2
Details
VuXML ID 5b397852-b1d0-11ea-a11c-4437e6ad11c4
Discovery 2020-06-14
Entry 2020-06-24
mutt 1.14.3 updates:
CVE-2020-14093 - IMAP fcc/postpone man-in-the-middle attack via a PREAUTH
response.
https://github.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01
References
CVE CVE-2020-14093
Name
URL https://github.com/muttmua/mutt/commit/
3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXvPaq+NLKJtyKPYoAQgXyw//c4cPZQjordgXkUGHcdgjZOcohGlUYMb4
Td0iDyBVOblqbPBVcpex+j7uEsHU0apI1CPtGk3hpMOV63xQO3fheq1JxFKrmJH4
vu/UT6BesqSa07pOjLEPtvAxEytkX+ONnWjsFdsNn3m7Azme1rBh17hS2kUWLGkI
T5y+9khZr7aiatugSSYTtmHYgl2/+X4djN5YDPnMMJdI6XIzjzdzhICQh2ycq1pm
fseF71y6oYoE2HEPWHcvzJ9yBCpHyxbIQjedocGI6Hi7EgQc+lPkD0M4YDLiMS7R
iSxLFzVzEeiW4EUllZwWVbg7dju7lbW6qp9OB6Yh2gcmvfoHVOw2xNVH5ElU0zXm
MfuqaF3sSp4QGtxw8A+qjG2AJCrqHHF28nHFleO0FZQHK+pbDEg7L9h2QCWqEQEZ
RjMLU2wtanLUE3noA4wAUbLwz3Bo0qMnudGPaCfxXGLjFVxaVNDLP2S8tOiTeZO5
UuyztI1csSIZ21TjUKRq1uLlpK4H/nIE93MmTuG6nCNmkiNtSscruCscb6wO2p7j
4OisOzX/F3cmHEl0EDdwAtBdjmzyTDCnUsw6IHFUFLJX74C+n5OozDhr3qmPpGi2
lsn0gyQ8FmOBzCEoCIwuCmi3Y1pZkAZ/G2ASMmdImkrd4c99b/65fqJgxHzH9Yu7
NEia5PI7qYY=
=sJLT
-----END PGP SIGNATURE-----