Operating System:

[RedHat]

Published:

10 November 2021

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2021.3790 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.3790
              mutt security, bug fix, and enhancement update
                             10 November 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mutt
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service        -- Remote with User Interaction
                   Access Confidential Data -- Remote with User Interaction
                   Reduced Security         -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3181 CVE-2020-28896 

Reference:         ASB-2021.0216
                   ASB-2021.0213
                   ESB-2021.3545
                   ESB-2021.3413
                   ESB-2021.0294

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:4181

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: mutt security, bug fix, and enhancement update
Advisory ID:       RHSA-2021:4181-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:4181
Issue date:        2021-11-09
CVE Names:         CVE-2020-28896 CVE-2021-3181 
=====================================================================

1. Summary:

An update for mutt is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

Mutt is a low resource, highly configurable, text-based MIME e-mail client.
Mutt supports most e-mail storing formats, such as mbox and Maildir, as
well as most protocols, including POP3 and IMAP.

The following packages have been upgraded to a later upstream version: mutt
(2.0.7). (BZ#1912614)

Security Fix(es):

* mutt: Incorrect handling of invalid initial IMAP responses could lead to
an authentication attempt over unencrypted connection (CVE-2020-28896)

* mutt: Memory leak when parsing rfc822 group addresses (CVE-2021-3181)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.5 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1890084 - RFE: Enable oauth2 support in mutt
1900826 - CVE-2020-28896 mutt: Incorrect handling of invalid initial IMAP responses could lead to an authentication attempt over unencrypted connection
1912614 - [RFE] Rebase mutt packages to mutt v2.x+
1920446 - CVE-2021-3181 mutt: Memory leak when parsing rfc822 group addresses

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
mutt-2.0.7-1.el8.src.rpm

aarch64:
mutt-2.0.7-1.el8.aarch64.rpm
mutt-debuginfo-2.0.7-1.el8.aarch64.rpm
mutt-debugsource-2.0.7-1.el8.aarch64.rpm

ppc64le:
mutt-2.0.7-1.el8.ppc64le.rpm
mutt-debuginfo-2.0.7-1.el8.ppc64le.rpm
mutt-debugsource-2.0.7-1.el8.ppc64le.rpm

s390x:
mutt-2.0.7-1.el8.s390x.rpm
mutt-debuginfo-2.0.7-1.el8.s390x.rpm
mutt-debugsource-2.0.7-1.el8.s390x.rpm

x86_64:
mutt-2.0.7-1.el8.x86_64.rpm
mutt-debuginfo-2.0.7-1.el8.x86_64.rpm
mutt-debugsource-2.0.7-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-28896
https://access.redhat.com/security/cve/CVE-2021-3181
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYYrcitzjgjWX9erEAQioPg/8C2gYed1JbL2glC9ljrJvfHFEiko4Ufs7
lWDV1nIMly7zkL3KZG9ziWr8dK/PCIsN47c2iw9U/BktI5bVv4r1z0XXOjt9OY7c
3RzNfysizMlV3K/Spbl4gMulunCx0KH2pTz2iPdZ4meitOryPzYKszLv+LzmKN/M
fERTLsInRwjealn0EVhkbvNUaGb3vaiFEjx0d/31G1WSPtuc4JKhus+kTwaJRrVD
W0iluV1gGIZ27XbbyVlhTCdMbhB2R86XR8jxSE0o3lOS8uNNo/1tpb8wXYQuhnGl
Zom29KL5EnVylsPL1eq/Q64z8Oc9EISp1iEWgh+H5RAL78WZRJuOHwIVRj7oPBC6
bAsT9ZGf9Nrsf+Xvz0mqFbu1Q3/cRSsfHfZdP2breeiM/OOZ1MiPH2r/7Um+uNzI
9eJU+gWmAkSNVmsm07ZTuNMEr81fvyG3PZmLdfKO3s1oXXw852/uPpq0V+SyEOIx
H6xwxFCgEN6w8V8cQ5JZqCtznToIElF42CiYBXUs8yUD1n+H6Rtd4XnVC87TAp4t
RWd4v6pXN9K2fcQqXEqn4+tG6BVIngxfhGPLhNvHgkG4yZ7u66UIeP7xBYbHHNsd
iMpKAXJsWy5EYd55bH7O9HlvIg8sU1p/Prqi+wH7L2Q+ZMqVOmYxHdklVuvnGRhh
K5IAhAXAn+0=
=9afl
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYYtSNeNLKJtyKPYoAQiiZQ//RhPTC2N3L8fVpam9LQ0A1cYeYIVOhQtn
lkH8uAr9fiPYdXOYbDl5X+uL0DLpgAsHVzGmcc9sbGb2MON2bX24ljQnOg8rgoJU
pnUkC+FH2IGSI58Xp41ENQ+lOMN6IqQFUkYG52z2QpRXgICCt+egGO27hviKIBkm
OFQ8e/cvTBAM2RLy1EMOHNrRfje6PkBUZ4dB0CGJ1i6iCTsnnq5fv+KxTBjkIHmb
oOnKy2623yyTzZxn3WBz3wpgka+7QT7r6jhwU+IrrTQZYm4nq6srT3OtyBOilACi
QzYNgLYVSFIM1/Sa9jOVHob8TYzvHzp8R/+mwAOPF+1fJI6KbzhByi4lG+QCU0Uz
K9TNwyC64BzE5+beKeGX3CZkiaRzlqsLwY0V5hNxTUJq6jxnAXlZSdguxQWQXqq4
as2mPffEtsVDoDwSQMbHmNdpV+BqP9Ro22d5cSB4mPLjX8ru5ctYQ2vGZkFd8AhW
Z/CxG8yM0D3zdBa1pI7u0BKL/wmlQ3WKPUH/ERtiEvWJuAOh3wElrgQWI8fAH4kZ
4dKdUJBnag1hiwF4cG4Kgbx4IoiNnYAsdMDzCSAs8QnC6JaYauvnH3YF9w17JD/g
fhr/SwUTVCBqtYaBd8VMxnMA2wL/yJR8bPMRgk3vrAuE4qa9VsANIC2G+RAjXeoP
TqYLoJNh2DM=
=n5Q8
-----END PGP SIGNATURE-----