-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0237
                           mutt security update
                              21 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mutt
Publisher:         Debian
Operating System:  Debian GNU/Linux
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3181  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2021/01/msg00017.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running mutt check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2529-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
January 21, 2021                            https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : mutt
Version        : 1.7.2-1+deb9u5
CVE ID         : CVE-2021-3181
Debian Bug     : 980326

rfc822.c in Mutt through 2.0.4 allows remote attackers to
cause a denial of service (mailbox unavailability) by sending
email messages with sequences of semicolon characters in
RFC822 address fields (aka terminators of empty groups).

A small email message from the attacker can cause large
memory consumption, and the victim may then be unable to
see email messages from other persons.

For Debian 9 stretch, this problem has been fixed in version
1.7.2-1+deb9u5.

We recommend that you upgrade your mutt packages.

For the detailed security status of mutt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mutt

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmAIjx0ACgkQgj6WdgbD
S5bk0A/+JMLuHGnyWqpA+QYC4uNYvZKCUvA8YjV8fp/CJ6Jpekxa7LJ32VsazQcM
D/8tOQibVZ+iHaxuGBgQ3Zd9Ar9b+VUkQYJtkESpho6I0r/Se1G9pfbRb94IjdiT
w3KSL3wycHPH02379fe1Mf7UVZJHmF161F6SRGP8oQwFn44nY9cRwhFzqgIHcbb0
BxCYGkMsxT/jQq9MC7x5TZBZBzOw9racTYstKafUS7UxwTo/k+gzuDZH6nCjzohN
ux+24HPDhdmzx0DtJZ7TsHEyXgHeF/2+rLSTg3Q7FCna+x0EXNes46UHJq89tgUi
UYRD5VuhfKbTSw3vf84kqGQs9VBbfaEwpHoRqqdLgyMwIlG3jbIy+mIZgq/p0DBn
E0sWVQIyr0DCtAlJ1YT2Z0cT7ox6Gn2aIQrE2IIPPxA2xw2mjdfHzK+q4bwocY3U
zLvyxT1us2IU8fOZuSL1WS/rIIKN0sAXtwj2SCAEbN10o6XuXZdVJmdjxKWzCsog
xj5YWAd8aD01Kw7xypuxVsf2FlujHFXGM1zFBMxy4kEYt46EiIl6ZfSNApOiuo/5
RZpqQTdOsbd2EhX4HybPj7iLun9CQlDZUFU7j4xPao9z0JWDUK35csGNrQlH5SDb
cl1H6k7/zQNKfIN4mDQPrKnzroetqzyDmJJyxNMIgs50hX9mOqo=
=lmGl
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYAj3FuNLKJtyKPYoAQgUMRAAsM0ryOX6uC7HuqHQAjePdPp2OdTfSrbO
eACpra73LauKYLp4xGqGe56/3Eti1nEz6G66KwTIp56O2JJBZxHD6lCOXNLAJ6UC
IOIC2IFyOoDZa3Jmol3/dACqwMpvrwIBLTTuYtzAlqDmNw18cZWpNUCGK/ErB0El
ANqlkTsrcnBJ7aSykZqOdnLvD2QLa7zxFxoCzl60e01tQN8ICtWWf8ezDL2IK+/X
9ID0CKS4dKB2yIYCvdTprYbFd2w7z8a/Gs+k/YJuBzZEw/I45hpqhDOr9l7eZeoO
TIuBX4OCiV3vUnwj4c/4Yt++rKzq8jDApJ6XFNlp8HBMm/1jT5kLKl17AU9d8UY7
4KMzHKexPTM82r4cQFMoqYTHwbYr3n7XFCf9ui4ORETL2ivBOb2uMpAoZEz+FxD2
CV1tXRFWPZ2hWkn1Okl206bDPZz5ZT4arQsWWr73Os54zt9ZGPeqGfXZeAl32D5T
QxLkl8phL1tk+TSBBZtBCLBBc8sjMnMBF07MRDg64rxXKIjzJwO/0S8zk1puHc73
Khsuic7kmU5ahUnF1hyQBYkHxc4Cdxi0GCI50Xuh+2HRh9mgVMuykeLUbMTQAru+
6zoOnPNeYrwRPJ6c68+HvvPtr1/1n+LEb+WJbMyEP7RHqZVzp/HGnIM3EEAcKjn4
Kqz18lbi6pQ=
=+ZzW
-----END PGP SIGNATURE-----