Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3790 mutt security, bug fix, and enhancement update 10 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: mutt Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-3181 CVE-2020-28896 Reference: ASB-2021.0216 ASB-2021.0213 ESB-2021.3545 ESB-2021.3413 ESB-2021.0294 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:4181 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: mutt security, bug fix, and enhancement update Advisory ID: RHSA-2021:4181-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4181 Issue date: 2021-11-09 CVE Names: CVE-2020-28896 CVE-2021-3181 ===================================================================== 1. Summary: An update for mutt is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP. The following packages have been upgraded to a later upstream version: mutt (2.0.7). (BZ#1912614) Security Fix(es): * mutt: Incorrect handling of invalid initial IMAP responses could lead to an authentication attempt over unencrypted connection (CVE-2020-28896) * mutt: Memory leak when parsing rfc822 group addresses (CVE-2021-3181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1890084 - RFE: Enable oauth2 support in mutt 1900826 - CVE-2020-28896 mutt: Incorrect handling of invalid initial IMAP responses could lead to an authentication attempt over unencrypted connection 1912614 - [RFE] Rebase mutt packages to mutt v2.x+ 1920446 - CVE-2021-3181 mutt: Memory leak when parsing rfc822 group addresses 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: mutt-2.0.7-1.el8.src.rpm aarch64: mutt-2.0.7-1.el8.aarch64.rpm mutt-debuginfo-2.0.7-1.el8.aarch64.rpm mutt-debugsource-2.0.7-1.el8.aarch64.rpm ppc64le: mutt-2.0.7-1.el8.ppc64le.rpm mutt-debuginfo-2.0.7-1.el8.ppc64le.rpm mutt-debugsource-2.0.7-1.el8.ppc64le.rpm s390x: mutt-2.0.7-1.el8.s390x.rpm mutt-debuginfo-2.0.7-1.el8.s390x.rpm mutt-debugsource-2.0.7-1.el8.s390x.rpm x86_64: mutt-2.0.7-1.el8.x86_64.rpm mutt-debuginfo-2.0.7-1.el8.x86_64.rpm mutt-debugsource-2.0.7-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-28896 https://access.redhat.com/security/cve/CVE-2021-3181 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrcitzjgjWX9erEAQioPg/8C2gYed1JbL2glC9ljrJvfHFEiko4Ufs7 lWDV1nIMly7zkL3KZG9ziWr8dK/PCIsN47c2iw9U/BktI5bVv4r1z0XXOjt9OY7c 3RzNfysizMlV3K/Spbl4gMulunCx0KH2pTz2iPdZ4meitOryPzYKszLv+LzmKN/M fERTLsInRwjealn0EVhkbvNUaGb3vaiFEjx0d/31G1WSPtuc4JKhus+kTwaJRrVD W0iluV1gGIZ27XbbyVlhTCdMbhB2R86XR8jxSE0o3lOS8uNNo/1tpb8wXYQuhnGl Zom29KL5EnVylsPL1eq/Q64z8Oc9EISp1iEWgh+H5RAL78WZRJuOHwIVRj7oPBC6 bAsT9ZGf9Nrsf+Xvz0mqFbu1Q3/cRSsfHfZdP2breeiM/OOZ1MiPH2r/7Um+uNzI 9eJU+gWmAkSNVmsm07ZTuNMEr81fvyG3PZmLdfKO3s1oXXw852/uPpq0V+SyEOIx H6xwxFCgEN6w8V8cQ5JZqCtznToIElF42CiYBXUs8yUD1n+H6Rtd4XnVC87TAp4t RWd4v6pXN9K2fcQqXEqn4+tG6BVIngxfhGPLhNvHgkG4yZ7u66UIeP7xBYbHHNsd iMpKAXJsWy5EYd55bH7O9HlvIg8sU1p/Prqi+wH7L2Q+ZMqVOmYxHdklVuvnGRhh K5IAhAXAn+0= =9afl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYYtSNeNLKJtyKPYoAQiiZQ//RhPTC2N3L8fVpam9LQ0A1cYeYIVOhQtn lkH8uAr9fiPYdXOYbDl5X+uL0DLpgAsHVzGmcc9sbGb2MON2bX24ljQnOg8rgoJU pnUkC+FH2IGSI58Xp41ENQ+lOMN6IqQFUkYG52z2QpRXgICCt+egGO27hviKIBkm OFQ8e/cvTBAM2RLy1EMOHNrRfje6PkBUZ4dB0CGJ1i6iCTsnnq5fv+KxTBjkIHmb oOnKy2623yyTzZxn3WBz3wpgka+7QT7r6jhwU+IrrTQZYm4nq6srT3OtyBOilACi QzYNgLYVSFIM1/Sa9jOVHob8TYzvHzp8R/+mwAOPF+1fJI6KbzhByi4lG+QCU0Uz K9TNwyC64BzE5+beKeGX3CZkiaRzlqsLwY0V5hNxTUJq6jxnAXlZSdguxQWQXqq4 as2mPffEtsVDoDwSQMbHmNdpV+BqP9Ro22d5cSB4mPLjX8ru5ctYQ2vGZkFd8AhW Z/CxG8yM0D3zdBa1pI7u0BKL/wmlQ3WKPUH/ERtiEvWJuAOh3wElrgQWI8fAH4kZ 4dKdUJBnag1hiwF4cG4Kgbx4IoiNnYAsdMDzCSAs8QnC6JaYauvnH3YF9w17JD/g fhr/SwUTVCBqtYaBd8VMxnMA2wL/yJR8bPMRgk3vrAuE4qa9VsANIC2G+RAjXeoP TqYLoJNh2DM= =n5Q8 -----END PGP SIGNATURE-----