mutt-1.5.20-9.20091214hg736b6a.AXS4

エラータID: AXSA:2018-3302:01

Release date: 
Monday, August 20, 2018 - 16:48
Subject: 
mutt-1.5.20-9.20091214hg736b6a.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Mutt is a low resource, highly configurable, text-based MIME e-mail client. Mutt supports most e-mail storing formats, such as mbox and Maildir, as well as most protocols, including POP3 and IMAP.

Security Fix(es):

* mutt: Remote code injection vulnerability to an IMAP mailbox (CVE-2018-14354)

* mutt: Remote Code Execution via backquote characters (CVE-2018-14357)

* mutt: POP body caching path traversal vulnerability (CVE-2018-14362)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-14354
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.
CVE-2018-14357
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription.
CVE-2018-14362
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c does not forbid characters that may have unsafe interaction with message-cache pathnames, as demonstrated by a '/' character.

Solution: 

Update packages.

CVEs: 
CVE-2018-14354
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription.
CVE-2018-14357
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. They allow remote IMAP servers to execute arbitrary commands via backquote characters, related to the mailboxes command associated with an automatic subscription.
CVE-2018-14362
An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. pop.c does not forbid characters that may have unsafe interaction with message-cache pathnames, as demonstrated by a '/' character.
Additional Info: 

N/A

Download: 

SRPMS
  1. mutt-1.5.20-9.20091214hg736b6a.AXS4.src.rpm
    MD5: 347c7a11dbcdb2760e55820ee845e9a2
    SHA-256: df25d08c782acddcee7db620b3ec89d812d6ac2331d3cc577565536401690ac8
    Size: 1.48 MB

Asianux Server 4 for x86
  1. mutt-1.5.20-9.20091214hg736b6a.AXS4.i686.rpm
    MD5: d1b4ce5a6cfa67c8b9095856b68f0c26
    SHA-256: 6557ca3c6bda178b45c48bfd4a8fedef2a7314fb47b5a5a6bca52a5ea2645b8c
    Size: 1.23 MB

Asianux Server 4 for x86_64
  1. mutt-1.5.20-9.20091214hg736b6a.AXS4.x86_64.rpm
    MD5: 3f28e6ba8b56aff98810913f25f13b06
    SHA-256: 246332c1697183168cc292ac585e6b695df939ced805805482b02552064e8663
    Size: 1.24 MB