Security update for mutt SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:2128-1 Final 1 1 2020-12-01T00:42:22Z current 2020-12-01T00:42:22Z 2020-12-01T00:42:22Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mutt This update for mutt fixes the following issues: - CVE-2020-28896: incomplete connection termination could lead to sending credentials over unencrypted connections (bsc#1179035) - Avoid that message with a million tiny parts can freeze MUA for several minutes (bsc#1179113) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-2128 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SDEIF6HZ3PYQV7UDRJUX7FTYYPTVCBVB/ E-Mail link for openSUSE-SU-2020:2128-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1179035 SUSE Bug 1179035 https://bugzilla.suse.com/1179113 SUSE Bug 1179113 https://www.suse.com/security/cve/CVE-2020-28896/ SUSE CVE CVE-2020-28896 page openSUSE Leap 15.1 mutt-1.10.1-lp151.2.6.1 mutt-doc-1.10.1-lp151.2.6.1 mutt-lang-1.10.1-lp151.2.6.1 mutt-1.10.1-lp151.2.6.1 as a component of openSUSE Leap 15.1 mutt-doc-1.10.1-lp151.2.6.1 as a component of openSUSE Leap 15.1 mutt-lang-1.10.1-lp151.2.6.1 as a component of openSUSE Leap 15.1 Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle. CVE-2020-28896 openSUSE Leap 15.1:mutt-1.10.1-lp151.2.6.1 openSUSE Leap 15.1:mutt-doc-1.10.1-lp151.2.6.1 openSUSE Leap 15.1:mutt-lang-1.10.1-lp151.2.6.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SDEIF6HZ3PYQV7UDRJUX7FTYYPTVCBVB/ https://www.suse.com/security/cve/CVE-2020-28896.html CVE-2020-28896 https://bugzilla.suse.com/1179035 SUSE Bug 1179035