Your message dated Sat, 01 Aug 2020 12:51:28 +0100 with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 10.5 point release has caused the Debian Bug report #964146, regarding buster-pu: package mutt/1.10.1-2.1+deb10u3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 964146: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964146 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package mutt/1.10.1-2.1+deb10u3
- From: Antonio Radici <antonio@debian.org>
- Date: Thu, 02 Jul 2020 17:00:13 +0200
- Message-id: <159370201346.1356275.11545818670822709002.reportbug@leporello>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Hello folks, in mutt/1.10.1-2.1+deb10u2 a security CVE was fixed yet it introduced a regression (bugs.debian.org/963970); I discussed with the security team whether to push another DSA to fix the regression, but given the scope it was decided that the best place for that is the next point release. I've attached the debdiff to this mail and done the upload for buster. Let me know if there is anything else that I should do. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.6.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8), LANGUAGE=en_IE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enableddiff -Nru mutt-1.10.1/debian/changelog mutt-1.10.1/debian/changelog --- mutt-1.10.1/debian/changelog 2020-06-19 06:55:35.000000000 +0200 +++ mutt-1.10.1/debian/changelog 2020-07-02 16:45:23.000000000 +0200 @@ -1,3 +1,11 @@ +mutt (1.10.1-2.1+deb10u3) buster; urgency=medium + + * debian/patches: + + added imap-preauth-and-ssh-tunnel.patch from upstream, which does not + check IMAP preauth in SSH tunnels (Closes: 963970) + + -- Antonio Radici <antonio@debian.org> Thu, 02 Jul 2020 16:45:23 +0200 + mutt (1.10.1-2.1+deb10u2) buster-security; urgency=high * debian/patches: diff -Nru mutt-1.10.1/debian/patches/series mutt-1.10.1/debian/patches/series --- mutt-1.10.1/debian/patches/series 2020-06-19 06:55:20.000000000 +0200 +++ mutt-1.10.1/debian/patches/series 2020-07-02 16:44:08.000000000 +0200 @@ -16,3 +16,4 @@ security/CVE-2020-14093.patch security/CVE-2020-14154.patch security/CVE-not-yet-released.patch +upstream/imap-preauth-and-ssh-tunnel.patch diff -Nru mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch --- mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch 1970-01-01 01:00:00.000000000 +0100 +++ mutt-1.10.1/debian/patches/upstream/imap-preauth-and-ssh-tunnel.patch 2020-07-02 16:45:23.000000000 +0200 @@ -0,0 +1,25 @@ +From dc909119b3433a84290f0095c0f43a23b98b3748 Mon Sep 17 00:00:00 2001 +From: Kevin McCarthy <kevin@8t8.us> +Date: Sat, 20 Jun 2020 06:35:35 -0700 +Subject: [PATCH] Don't check IMAP PREAUTH encryption if $tunnel is in use. + +$tunnel is used to create an external encrypted connection. The +default of $ssl_starttls is yes, meaning those kinds of connections +will be broken by the CVE-2020-14093 fix. +--- + imap/imap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/imap/imap.c ++++ b/imap/imap.c +@@ -495,8 +495,8 @@ + { + #if defined(USE_SSL) + /* An unencrypted PREAUTH response is most likely a MITM attack. +- * Require a confirmation. */ +- if (!idata->conn->ssf) ++ * Require a confirmation unless using $tunnel. */ ++ if (!idata->conn->ssf && !Tunnel) + { + if (option(OPTSSLFORCETLS) || + (query_quadoption (OPT_SSLSTARTTLS,
--- End Message ---
--- Begin Message ---
- To: 931678-done@bugs.debian.org, 947351-done@bugs.debian.org, 947758-done@bugs.debian.org, 948652-done@bugs.debian.org, 953763-done@bugs.debian.org, 954020-done@bugs.debian.org, 954716-done@bugs.debian.org, 959661-done@bugs.debian.org, 959890-done@bugs.debian.org, 960020-done@bugs.debian.org, 960376-done@bugs.debian.org, 960395-done@bugs.debian.org, 960575-done@bugs.debian.org, 960600-done@bugs.debian.org, 960804-done@bugs.debian.org, 960806-done@bugs.debian.org, 960836-done@bugs.debian.org, 960885-done@bugs.debian.org, 960974-done@bugs.debian.org, 961019-done@bugs.debian.org, 961212-done@bugs.debian.org, 961275-done@bugs.debian.org, 961379-done@bugs.debian.org, 961439-done@bugs.debian.org, 961441-done@bugs.debian.org, 961514-done@bugs.debian.org, 961803-done@bugs.debian.org, 961833-done@bugs.debian.org, 961921-done@bugs.debian.org, 961936-done@bugs.debian.org, 961944-done@bugs.debian.org, 961978-done@bugs.debian.org, 962059-done@bugs.debian.org, 962067-done@bugs.debian.org, 962160-done@bugs.debian.org, 962227-done@bugs.debian.org, 962237-done@bugs.debian.org, 962255-done@bugs.debian.org, 962306-done@bugs.debian.org, 962982-done@bugs.debian.org, 963024-done@bugs.debian.org, 963267-done@bugs.debian.org, 963591-done@bugs.debian.org, 963595-done@bugs.debian.org, 963694-done@bugs.debian.org, 963796-done@bugs.debian.org, 963940-done@bugs.debian.org, 963986-done@bugs.debian.org, 964146-done@bugs.debian.org, 964158-done@bugs.debian.org, 964228-done@bugs.debian.org, 964338-done@bugs.debian.org, 964346-done@bugs.debian.org, 964350-done@bugs.debian.org, 964397-done@bugs.debian.org, 964412-done@bugs.debian.org, 964417-done@bugs.debian.org, 964422-done@bugs.debian.org, 964435-done@bugs.debian.org, 964574-done@bugs.debian.org, 964589-done@bugs.debian.org, 964712-done@bugs.debian.org, 964714-done@bugs.debian.org, 964715-done@bugs.debian.org, 964726-done@bugs.debian.org, 964740-done@bugs.debian.org, 964792-done@bugs.debian.org, 964807-done@bugs.debian.org, 964808-done@bugs.debian.org, 964860-done@bugs.debian.org, 964868-done@bugs.debian.org, 964898-done@bugs.debian.org, 964986-done@bugs.debian.org, 965116-done@bugs.debian.org, 965117-done@bugs.debian.org, 965257-done@bugs.debian.org, 965377-done@bugs.debian.org, 966151-done@bugs.debian.org, 966213-done@bugs.debian.org, 966247-done@bugs.debian.org, 966272-done@bugs.debian.org, 966310-done@bugs.debian.org
- Subject: Closing bugs for fixes included in 10.5 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 01 Aug 2020 12:51:28 +0100
- Message-id: <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.5 Hi, Each of these bugs relates to an update that was included in today's stable point release. Regards, Adam
--- End Message ---