ArchLinux: 202011-25: mutt: silent downgrade
Summary
A security issue has been found in Mutt before version 2.0.2 and NeoMutt before version 20201120 that could result in authentication credentials being sent over an unencrypted connection, without $ssl_force_tls being consulted. During connection, if the server provided an illegal initial response, the application "bailed", but did not actually close the connection. The calling code relied on the connection status to decide to continue with authentication, instead of checking the "bail" return value.
Resolution
Upgrade to 2.0.2-1.
# pacman -Syu "mutt>=2.0.2-1"
The problem has been fixed upstream in version 2.0.2.
References
http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20201116/002134.html https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-November/000929.html https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06 https://security.archlinux.org/CVE-2020-28896
Workaround
None.