The package msmtp before version 1.8.3-1 is vulnerable to certificate verification bypass.
Arch Linux Security Advisory ASA-201902-22
=========================================
Severity: High
Date : 2019-02-17
CVE-ID : CVE-2019-8337
Package : msmtp
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-905
Summary
======
The package msmtp before version 1.8.3-1 is vulnerable to certificate
verification bypass.
Resolution
=========
Upgrade to 1.8.3-1.
# pacman -Syu "msmtp>=1.8.3-1"
The problem has been fixed upstream in version 1.8.3.
Workaround
=========
None.
Description
==========
In msmtp 1.8.2, when tls_trust_file has its default configuration,
certificate-verification results are not properly checked.
Impact
=====
The default configuration would omit certification verification.
References
=========
https://marlam.de/msmtp/news/
https://security.archlinux.org/CVE-2019-8337