エラータID: AXSA:2021-2863:01

Release date: 
Thursday, December 23, 2021 - 22:57
Affected Channels: 
Asianux Server 8 for x86_64

Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt
supports most e-mail storing formats, such as mbox and Maildir, as well as most
protocols, including POP3 and IMAP.

The following packages have been upgraded to a later upstream version: mutt

Security Fix(es):

* mutt: Incorrect handling of invalid initial IMAP responses could lead to an
authentication attempt over unencrypted connection (CVE-2020-28896)
* mutt: Memory leak when parsing rfc822 group addresses (CVE-2021-3181)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

Additional Changes:

Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that
$ssl_force_tls was processed if an IMAP server's initial server response was
invalid. The connection was not properly closed, and the code could continue
attempting to authenticate. This could result in authentication credentials
being exposed on an unencrypted connection, or to a machine-in-the-middle.
rfc822.c in Mutt through 2.0.4 allows remote attackers to cause a denial of
service (mailbox unavailability) by sending email messages with sequences of
semicolon characters in RFC822 address fields (aka terminators of empty groups).
A small email message from the attacker can cause large memory consumption, and
the victim may then be unable to see email messages from other persons.


Update packages.

Additional Info: 



  1. mutt-2.0.7-1.el8.src.rpm
    MD5: 660443417da55ab93b5d1766d38ca3a7
    SHA-256: ae28d77c6a2b05c9b69a3195542548e7616db79133376c78fab1505359128dde
    Size: 5.10 MB

Asianux Server 8 for x86_64
  1. mutt-2.0.7-1.el8.x86_64.rpm
    MD5: 02711d2b44f8af62f3435febcb45d873
    SHA-256: ad9001dbdc40eefca30449bfcb8cf5e9f1303de1643619d4fc97969e4717586e
    Size: 1.92 MB