Linux Security
    Linux Security
    Linux Security

    openSUSE: 2020:2157-1 moderate: neomutt

    Date 04 Dec 2020
    1503
    Posted By LinuxSecurity Advisories
    --===============5630018911613007807==
    
    Announcement ID:    openSUSE-SU-2020:2157-1
    Rating:             moderate
    References:         #1172906 #1172935 #1173197 #1179035 #1179113 
                        
    Cross-References:   CVE-2020-14093 CVE-2020-14154 CVE-2020-14954
                        CVE-2020-28896
    Affected Products:
                        openSUSE Backports SLE-15-SP1
    ______________________________________________________________________________
    
       An update that solves four vulnerabilities and has one
       errata is now available.
    
    Description:
    
       This update for neomutt fixes the following issues:
    
       Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.
    
         * Security
           - imap: close connection on all failures
         * Features
           - alias: add function to Alias/Query dialogs
           - config: add validators for {imap,smtp,pop}_authenticators
           - config: warn when signature file is missing or not readable
           - smtp: support for native SMTP LOGIN auth mech
           - notmuch: show originating folder in index
         * Bug Fixes
           - sidebar: prevent the divider colour bleeding out
           - sidebar: fix 
           - notmuch: fix query for current email
           - restore shutdown-hook functionality
           - crash in reply-to
           - user-after-free in folder-hook
           - fix some leaks
           - fix application of limits to modified mailboxes
           - write Date header when postponing
         * Translations
           - 100% Lithuanian
           - 100% Czech
           - 70% Turkish
         * Docs
           - Document that $sort_alias affects the query menu
         * Build
           - improve ASAN flags
           - add SASL and S/MIME to --everything
           - fix contrib (un)install
         * Code
           - my_hdr compose screen notifications
           - add contracts to the MXAPI
           - maildir refactoring
           - further reduce the use of global variables
         * Upstream
           - Add $count_alternatives to count attachments inside alternatives
       - Changes from 20200925
         * Features
           - Compose: display user-defined headers
           - Address Book / Query: live sorting
           - Address Book / Query: patterns for searching
           - Config: Add '+=' and '-=' operators for String Lists
           - Config: Add '+=' operator for Strings
           - Allow postfix query ':setenv NAME?' for env vars
         * Bug Fixes
           - Fix crash when searching with invalid regexes
           - Compose: Prevent infinite loop of send2-hooks
           - Fix sidebar on new/removed mailboxes
           - Restore indentation for named mailboxes
           - Prevent half-parsing an alias
           - Remove folder creation prompt for POP path
           - Show error if $message_cachedir doesn't point to a valid directory
           - Fix tracking LastDir in case of IMAP paths with Unicode characters
           - Make sure all mail gets applied the index limit
           - Add warnings to -Q query CLI option
           - Fix index tracking functionality
         * Changed Config
           - Add $compose_show_user_headers (yes)
         * Translations
           - 100% Czech
           - 100% Lithuanian
           - Split up usage strings
         * Build
           - Run shellcheck on hcachever.sh
           - Add the Address Sanitizer
           - Move compose files to lib under compose/
           - Move address config into libaddress
           - Update to latest acutest - fixes a memory leak in the unit tests
         * Code
           - Implement ARRAY API
           - Deglobalised the Config Sort functions
           - Refactor the Sidebar to be Event-Driven
           - Refactor the Color Event
           - Refactor the Commands list
           - Make ctx_update_tables private
           - Reduce the scope/deps of some Validator functions
           - Use the Email's IMAP UID instead of an increasing number as index
           - debug: log window focus
       - Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch. No
         longer needed.
    
       - Update to 20200821:
         * Bug Fixes
           - fix maildir flag generation
           - fix query notmuch if file is missing
           - notmuch: don't abort sync on error
           - fix type checking for send config variables
         * Changed Config
           - $sidebar_format - Use %D rather than %B for named mailboxes
         * Translations
           - 96% Lithuanian
           - 90% Polish
       - fix(sidebar): abbreviate/shorten what user sees
    
       - Fix sidebar mailbox name display problem.
    
       - Update to 20200814:
         * Notes
           - Add one-liner docs to config items See: neomutt -O -Q smart_wrap
           - Remove the built-in editor A large unused and unusable feature
         * Security
           - Add mitigation against DoS from thousands of parts boo#1179113
         * Features
           - Allow index-style searching in postpone menu
           - Open NeoMutt using a mailbox name
           - Add cd command to change the current working directory
           - Add tab-completion menu for patterns
           - Allow renaming existing mailboxes
           - Check for missing attachments in alternative parts
           - Add one-liner docs to config items
         * Bug Fixes
           - Fix logic in checking an empty From address
           - Fix Imap crash in cmd_parse_expunge()
           - Fix setting attributes with S-Lang
           - Fix: redrawing of $pager_index_lines
           - Fix progress percentage for syncing large mboxes
           - Fix sidebar drawing in presence of indentation + named mailboxes
           - Fix retrieval of drafts when "postponed" is not in the mailboxes list
           - Do not add comments to address group terminators
           - Fix alias sorting for degenerate addresses
           - Fix attaching emails
           - Create directories for nonexistent file hcache case
           - Avoid creating mailboxes for failed subscribes
           - Fix crash if rejecting cert
         * Changed Config
           - Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed
           - Change default of $crypt_protected_headers_subject to "..."
           - Add default keybindings to history-up/down
         * Translations
           - 100% Czech
           - 100% Spanish
         * Build
           - Allow building against Lua 5.4
           - Fix when sqlite3.h is missing
         * Docs
           - Add a brief section on stty to the manual
           - Update section "Terminal Keybindings" in the manual
           - Clarify PGP Pseudo-header S duration
         * Code
           - Clean up String API
           - Make the Sidebar more independent
           - De-centralise the Config Variables
           - Refactor dialogs
           - Refactor: Help Bar generation
           - Make more APIs Context-free
           - Adjust the edata use in Maildir and Notmuch
           - Window refactoring
           - Convert libsend to use Config functions
           - Refactor notifications to reduce noise
           - Convert Keymaps to use STAILQ
           - Track currently selected email by msgid
           - Config: no backing global variable
           - Add events for key binding
         * Upstream
           - Fix imap postponed mailbox use-after-free error
           - Speed up thread sort when many long threads exist
           - Fix ~v tagging when switching to non-threaded sorting
           - Add message/global to the list of known "message" types
           - Print progress meter when copying/saving tagged messages
           - Remove ansi formatting from autoview generated quoted replies
           - Change postpone mode to write Date header too
           - Unstuff format=flowed
    
       - Update to 20200626:
         * Bug Fixes
           - Avoid opening the same hcache file twice
           - Re-open Mailbox after folder-hook
           - Fix the matching of the spoolfile Mailbox
           - Fix link-thread to link all tagged emails
         * Changed Config
           - Add $tunnel_is_secure config, defaulting to true
         * Upstream
           - Don't check IMAP PREAUTH encryption if $tunnel is in use
           - Add recommendation to use $ssl_force_tls
       - Changes from 20200501:
         * Security
           - Abort GnuTLS certificate check if a cert in the chain is rejected
             CVE-2020-14154 boo#1172906
           - TLS: clear data after a starttls acknowledgement CVE-2020-14954
             boo#1173197
           - Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093
             boo#1172935
         * Features
           - add config operations +=/-= for number,long
           - Address book has a comment field
           - Query menu has a comment field
         * Contrib sample.neomuttrc-starter: Do not echo prompted password
         * Bug Fixes
           - make "news://" and "nntp://" schemes interchangeable
           - Fix CRLF to LF conversion in base64 decoding
           - Double comma in query
           - compose: fix redraw after history
           - Crash inside empty query menu
           - mmdf: fix creating new mailbox
           - mh: fix creating new mailbox
           - mbox: error out when an mbox/mmdf is a pipe
           - Fix list-reply by correct parsing of List-Post headers
           - Decode references according to RFC2047
           - fix tagged message count
           - hcache: fix keylen not being considered when building the full key
           - sidebar: fix path comparison
           - Don't mess with the original pattern when running IMAP searches
           - Handle IMAP "NO" resps by issuing a msg instead of failing badly
           - imap: use the connection delimiter if provided
           - Memory leaks
         * Changed Config
           - $alias_format default changed to include %c comment
           - $query_format default changed to include %e extra info
         * Translations
           - 100% Lithuanian
           - 84% French
           - Log the translation in use
         * Docs
           - Add missing commands unbind, unmacro to man pages
         * Build
           - Check size of long using LONG_MAX instead of __WORDSIZE
           - Allow ./configure to not record cflags
           - fix out-of-tree build
           - Avoid locating gdbm symbols in qdbm library
         * Code
           - Refactor unsafe TAILQ returns
           - add window notifications
           - flip negative ifs
           - Update to latest acutest.h
           - test: add store tests
           - test: add compression tests
           - graphviz: email
           - make more opcode info available
           - refactor: main_change_folder()
           - refactor: mutt_mailbox_next()
           - refactor: generate_body()
           - compress: add {min,max}_level to ComprOps
           - emphasise empty loops: "// do nothing"
           - prex: convert is_from() to use regex
           - Refactor IMAP's search routines
    
       - Update to 20200501:
         * Bug Fixes
           - Make sure buffers are initialized on error
           - fix(sidebar): use abbreviated path if possible
         * Translations
           - 100% Lithuanian
         * Docs
           - make header cache config more explicit
       - Changes from 20200424:
         * Bug Fixes
           - Fix history corruption
           - Handle pretty much anything in a URL query part
           - Correctly parse escaped characters in header phrases
           - Fix crash reading received header
           - Fix sidebar indentation
           - Avoid crashing on failure to parse an IMAP mailbox
           - Maildir: handle deleted emails correctly
           - Ensure OP_NULL is always first
         * Translations
           - 100% Czech
         * Build
           - cirrus: enable pcre2, make pkgconf a special case
           - Fix finding pcre2 w/o pkgconf
           - build: tdb.h needs size_t, bring it in with stddef.h
       - Changes from 20200417:
         * Features
           - Fluid layout for Compose Screen, see: vimeo.com/407231157
           - Trivial Database (TDB) header cache backend
           - RocksDB header cache backend
           - Add  and  functions
         * Bug Fixes
           - add error for CLI empty emails
           - Allow spaces and square brackets in paths
           - browser: fix hidden mailboxes
           - fix initial email display
           - notmuch: fix time window search.
           - fix resize bugs
           - notmuch: fix entire-thread: update current email pointer
           - sidebar: support indenting and shortening of names
           - Handle variables inside backticks in sidebar_whitelist
           - browser: fix mask regex error reporting
         * Translations
           - 100% Lithuanian
           - 99% Chinese (simplified)
         * Build
           - Use regexes for common parsing tasks: urls, dates
           - Add configure option --pcre2 -- Enable PCRE2 regular expressions
           - Add configure option --tdb -- Use TDB for the header cache
           - Add configure option --rocksdb -- Use RocksDB for the header cache
           - Create libstore (key/value backends)
           - Update to latest autosetup
           - Update to latest acutest.h
           - Rename doc/ directory to docs/
           - make: fix location of .Po dependency files
           - Change libcompress to be more universal
           - Fix test fails on ??32
           - fix uidvalidity to unsigned 32-bit int
         * Code
           - Increase test coverage
           - Fix memory leaks
           - Fix null checks
         * Upstream
           - Buffer refactoring
           - Fix use-after-free in mutt_str_replace()
           - Clarify PGP Pseudo-header S duration
           - Try to respect MUTT_QUIET for IMAP contexts too
           - Limit recurse depth when parsing mime messages
    
       - Update to 20200320:
         * Bug Fixes
           - Fix COLUMNS env var
           - Fix sync after delete
           - Fix crash in notmuch
           - Fix sidebar indent
           - Fix emptying trash
           - Fix command line sending
           - Fix reading large address lists
           - Resolve symlinks only when necessary
         * Translations
           - lithuania 100% Lithuanian
           - es 96% Spanish
         * Docs
           - Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output
           - Fix case of GPGME and SQLite
         * Build
           - Create libcompress (lz4, zlib, zstd)
           - Create libhistory
           - Create libbcache
           - Move zstrm to libconn
         * Code
           - Add more test coverage
           - Rename magic to type
           - Use mutt_file_fopen() on config variables
           - Change commands to use intptr_t for data
    
       - Update to 20200313:
         * Window layout
           - Sidebar is only visible when it's usable.
         * Features
           - UI: add number of old messages to sidebar_format
           - UI: support ISO 8601 calendar date
           - UI: fix commands that don???t need to have a non-empty mailbox to be
             valid
           - PGP: inform about successful decryption of inline PGP messages
           - PGP: try to infer the signing key from the From address
           - PGP: enable GPGMe by default
           - Notmuch: use query as name for vfolder-from-query
           - IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)
           - Header cache: add support for generic header cache compression
         * Bug Fixes
           - Fix uncollapse_jump
           - Only try to perform entire-thread on maildir/mh mailboxes
           - Fix crash in pager
           - Avoid logging single new lines at the end of header fields
           - Fix listing mailboxes
           - Do not recurse a non-threaded message
           - Fix initial window order
           - Fix leaks on IMAP error paths
           - Notmuch: compose(attach-message): support notmuch backend
           - Fix IMAP flag comparison code
           - Fix $move for IMAP mailboxes
           - Maildir: maildir_mbox_check_stats should only update mailbox stats
             if requested
           - Fix unmailboxes for virtual mailboxes
           - Maildir: sanitize filename before hashing
           - OAuth: if 'login' name isn't available use 'user'
           - Add error message on failed encryption
           - Fix a bunch of crashes
           - Force C locale for email date
           - Abort if run without a terminal
         * Changed Config
           - $crypt_use_gpgme - Now defaults to 'yes' (enabled)
           - $abort_backspace - Hitting backspace against an empty prompt aborts
             the prompt
           - $abort_key - String representation of key to abort prompts
           - $arrow_string - Use an custom string for arrow_cursor
           - $crypt_opportunistic_encrypt_strong_keys - Enable encryption
             only when strong a key is available
           - $header_cache_compress_dictionary - Filepath to dictionary for zstd
             compression
           - $header_cache_compress_level - Level of compression for method
           - $header_cache_compress_method - Enable generic hcache database
             compression
           - $imap_deflate - Compress network traffic
           - $smtp_user - Username for the SMTP server
         * Translations
           - 100% Lithuanian
           - 81% Spanish
           - 78% Russian
         * Build
           - Add libdebug
           - Rename public headers to lib.h
           - Create libcompress for compressed folders code
         * Code
           - Refactor Windows and Dialogs
           - Lots of code tidying
           - Refactor: mutt_addrlist_{search,write}
           - Lots of improvements to the Config code
           - Use Buffers more pervasively
           - Unify API function naming
           - Rename library shared headers
           - Refactor libconn gui dependencies
           - Refactor: init.[ch]
           - Refactor config to use subsets
           - Config: add path type
           - Remove backend deps from the connection code
         * Upstream
           - Allow ~b ~B ~h patterns in send2-hook
           - Rename smime oppenc mode parameter to get_keys_by_addr()
           - Add $crypt_opportunistic_encrypt_strong_keys config var
           - Fix crash when polling a closed ssl connection
           - Turn off auto-clear outside of autocrypt initialization
           - Add protected-headers="v1" to Content-Type when protecting headers
           - Fix segv in IMAP postponed menu caused by reopen_allow
           - Adding ISO 8601 calendar date
           - Fix $fcc_attach to not prompt in batch mode
           - Convert remaining mutt_encode_path() call to use struct Buffer
           - Fix rendering of replacement_char when Charset_is_utf8
           - Update to latest acutest.h
    
       - Update to 20191207:
         * Features:
           - compose: draw status bar with highlights
         * Bug Fixes:
           - crash opening notmuch mailbox
           - crash in mutt_autocrypt_ui_recommendation
           - Avoid negative allocation
           - Mbox new mail
           - Setting of DT_MAILBOX type variables from Lua
           - imap: empty cmdbuf before connecting
           - imap: select the mailbox on reconnect
           - compose: fix attach message
         * Build:
           - make files conditional
         * Code:
           - enum-ify log levels
           - fix function prototypes
           - refactor virtual email lookups
           - factor out global Context
       - Changes from 20191129:
         * Features:
           - Add raw mailsize expando (%cr)
         * Bug Fixes:
           - Avoid double question marks in bounce confirmation msg
           - Fix bounce confirmation
           - fix new-mail flags and behaviour
           - fix: browser 
           - fix ssl crash
           - fix move to trash
           - fix flickering
           - Do not check hidden mailboxes for new mail
           - Fix new_mail_command notifications
           - fix crash in examine_mailboxes()
           - fix crash in mutt_sort_threads()
           - fix: crash after sending
           - Fix crash in tunnel's conn_close
           - fix fcc for deep dirs
           - imap: fix crash when new mail arrives
           - fix colour 'quoted9'
           - quieten messages on exit
           - fix: crash after failed mbox_check
           - browser: default to a file/dir view when attaching a file
         * Changed Config:
           - Change $write_bcc to default off
         * Docs:
           - Add a bit more documentation about sending
           - Clarify $write_bcc documentation.
           - Update documentation for raw size expando
           - docbook: set generate.consistent.ids to make generated html
             reproducible
         * Build:
           - fix build/tests for 32-bit arches
           - tests: fix test that would fail soon
           - tests: fix context for failing idna tests
    
       - Update to 20191111: Bug fixes:
         * browser: fix directory view
         * fix crash in mutt_extract_token()
         * force a screen refresh
         * fix crash sending message from command line
         * notmuch: use nm_default_uri if no mailbox data
         * fix forward attachments
         * fix: vfprintf undefined behaviour in body_handler
         * Fix relative symlink resolution
         * fix: trash to non-existent file/dir
         * fix re-opening of mbox Mailboxes
         * close logging as late as possible
         * log unknown mailboxes
         * fix crash in command line postpone
         * fix memory leaks
         * fix icommand parsing
         * fix new mail interaction with mail_check_recent
    
       This update was imported from the openSUSE:Leap:15.1:Update update project.
    
    
    Patch Instructions:
    
       To install this openSUSE Security Update use the SUSE recommended installation methods
       like YaST online_update or "zypper patch".
    
       Alternatively you can run the command listed for your product:
    
       - openSUSE Backports SLE-15-SP1:
    
          zypper in -t patch openSUSE-2020-2157=1
    
    
    
    Package List:
    
       - openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):
    
          neomutt-20201120-bp151.3.3.1
    
       - openSUSE Backports SLE-15-SP1 (noarch):
    
          neomutt-doc-20201120-bp151.3.3.1
          neomutt-lang-20201120-bp151.3.3.1
    
    
    References:
    
       https://www.suse.com/security/cve/CVE-2020-14093.html
       https://www.suse.com/security/cve/CVE-2020-14154.html
       https://www.suse.com/security/cve/CVE-2020-14954.html
       https://www.suse.com/security/cve/CVE-2020-28896.html
       https://bugzilla.suse.com/1172906
       https://bugzilla.suse.com/1172935
       https://bugzilla.suse.com/1173197
       https://bugzilla.suse.com/1179035
       https://bugzilla.suse.com/1179113
    --===============5630018911613007807==
    

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/49-tis-the-season-of-giving-how-have-you-given-back-to-the-open-source-community?task=poll.vote&format=json
    49
    radio
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"11","type":"x","order":"1","pct":34.38,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":18.75,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":46.88,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.