Bug#964146: marked as done (buster-pu: package mutt/1.10.1-2.1+deb10u3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #964146,
regarding buster-pu: package mutt/1.10.1-2.1+deb10u3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
964146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964146
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: package mutt/1.10.1-2.1+deb10u3
• From: Antonio Radici <antonio@debian.org>
• Date: Thu, 02 Jul 2020 17:00:13 +0200
• Message-id: <159370201346.1356275.11545818670822709002.reportbug@leporello>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hello folks,
in mutt/1.10.1-2.1+deb10u2 a security CVE was fixed yet it introduced a
regression (bugs.debian.org/963970); I discussed with the security team whether
to push another DSA to fix the regression, but given the scope it was decided
that the best place for that is the next point release.

I've attached the debdiff to this mail and done the upload for buster.

Let me know if there is anything else that I should do.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE=en_IE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru mutt-1.10.1/debian/changelog mutt-1.10.1/debian/changelog
--- mutt-1.10.1/debian/changelog	2020-06-19 06:55:35.000000000 +0200
+++ mutt-1.10.1/debian/changelog	2020-07-02 16:45:23.000000000 +0200
@@ -1,3 +1,11 @@
+mutt (1.10.1-2.1+deb10u3) buster; urgency=medium
+
+  * debian/patches:
+    + added imap-preauth-and-ssh-tunnel.patch from upstream, which does not
+      check IMAP preauth in SSH tunnels (Closes: 963970)
+
+ -- Antonio Radici <antonio@debian.org>  Thu, 02 Jul 2020 16:45:23 +0200
+
 mutt (1.10.1-2.1+deb10u2) buster-security; urgency=high
 
   * debian/patches:
diff -Nru mutt-1.10.1/debian/patches/series mutt-1.10.1/debian/patches/series
--- mutt-1.10.1/debian/patches/series	2020-06-19 06:55:20.000000000 +0200
+++ mutt-1.10.1/debian/patches/series	2020-07-02 16:44:08.000000000 +0200
@@ -16,3 +16,4 @@
 security/CVE-2020-14093.patch
 security/CVE-2020-14154.patch
 security/CVE-not-yet-released.patch
+upstream/imap-preauth-and-ssh-tunnel.patch
diff -Nru mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch
--- mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch	1970-01-01 01:00:00.000000000 +0100
+++ mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch	2020-07-02 16:45:23.000000000 +0200
@@ -0,0 +1,25 @@
+From dc909119b3433a84290f0095c0f43a23b98b3748 Mon Sep 17 00:00:00 2001
+From: Kevin McCarthy <kevin@8t8.us>
+Date: Sat, 20 Jun 2020 06:35:35 -0700
+Subject: [PATCH] Don't check IMAP PREAUTH encryption if $tunnel is in use.
+
+$tunnel is used to create an external encrypted connection.  The
+default of $ssl_starttls is yes, meaning those kinds of connections
+will be broken by the CVE-2020-14093 fix.
+---
+ imap/imap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/imap/imap.c
++++ b/imap/imap.c
+@@ -495,8 +495,8 @@
+   {
+ #if defined(USE_SSL)
+     /* An unencrypted PREAUTH response is most likely a MITM attack.
+-     * Require a confirmation. */
+-    if (!idata->conn->ssf)
++     * Require a confirmation unless using $tunnel. */
++    if (!idata->conn->ssf && !Tunnel)
+     {
+       if (option(OPTSSLFORCETLS) ||
+           (query_quadoption (OPT_SSLSTARTTLS,

--- End Message ---

--- Begin Message ---

• To: 931678-done@bugs.debian.org, 947351-done@bugs.debian.org, 947758-done@bugs.debian.org, 948652-done@bugs.debian.org, 953763-done@bugs.debian.org, 954020-done@bugs.debian.org, 954716-done@bugs.debian.org, 959661-done@bugs.debian.org, 959890-done@bugs.debian.org, 960020-done@bugs.debian.org, 960376-done@bugs.debian.org, 960395-done@bugs.debian.org, 960575-done@bugs.debian.org, 960600-done@bugs.debian.org, 960804-done@bugs.debian.org, 960806-done@bugs.debian.org, 960836-done@bugs.debian.org, 960885-done@bugs.debian.org, 960974-done@bugs.debian.org, 961019-done@bugs.debian.org, 961212-done@bugs.debian.org, 961275-done@bugs.debian.org, 961379-done@bugs.debian.org, 961439-done@bugs.debian.org, 961441-done@bugs.debian.org, 961514-done@bugs.debian.org, 961803-done@bugs.debian.org, 961833-done@bugs.debian.org, 961921-done@bugs.debian.org, 961936-done@bugs.debian.org, 961944-done@bugs.debian.org, 961978-done@bugs.debian.org, 962059-done@bugs.debian.org, 962067-done@bugs.debian.org, 962160-done@bugs.debian.org, 962227-done@bugs.debian.org, 962237-done@bugs.debian.org, 962255-done@bugs.debian.org, 962306-done@bugs.debian.org, 962982-done@bugs.debian.org, 963024-done@bugs.debian.org, 963267-done@bugs.debian.org, 963591-done@bugs.debian.org, 963595-done@bugs.debian.org, 963694-done@bugs.debian.org, 963796-done@bugs.debian.org, 963940-done@bugs.debian.org, 963986-done@bugs.debian.org, 964146-done@bugs.debian.org, 964158-done@bugs.debian.org, 964228-done@bugs.debian.org, 964338-done@bugs.debian.org, 964346-done@bugs.debian.org, 964350-done@bugs.debian.org, 964397-done@bugs.debian.org, 964412-done@bugs.debian.org, 964417-done@bugs.debian.org, 964422-done@bugs.debian.org, 964435-done@bugs.debian.org, 964574-done@bugs.debian.org, 964589-done@bugs.debian.org, 964712-done@bugs.debian.org, 964714-done@bugs.debian.org, 964715-done@bugs.debian.org, 964726-done@bugs.debian.org, 964740-done@bugs.debian.org, 964792-done@bugs.debian.org, 964807-done@bugs.debian.org, 964808-done@bugs.debian.org, 964860-done@bugs.debian.org, 964868-done@bugs.debian.org, 964898-done@bugs.debian.org, 964986-done@bugs.debian.org, 965116-done@bugs.debian.org, 965117-done@bugs.debian.org, 965257-done@bugs.debian.org, 965377-done@bugs.debian.org, 966151-done@bugs.debian.org, 966213-done@bugs.debian.org, 966247-done@bugs.debian.org, 966272-done@bugs.debian.org, 966310-done@bugs.debian.org
• Subject: Closing bugs for fixes included in 10.5 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 01 Aug 2020 12:51:28 +0100
• Message-id: <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---