Discover Government News

--===============5317241724046297795=
Announcement ID:    openSUSE-SU-2020:2158-1
Rating:             moderate
References:         #1172906 #1172935 #1173197 #1179035 #1179113 
                    
Cross-References:   CVE-2020-14093 CVE-2020-14154 CVE-2020-14954
                    CVE-2020-28896
Affected Products:
                    openSUSE Backports SLE-15-SP2
______________________________________________________________________________

   An update that solves four vulnerabilities and has one
   errata is now available.

Description:

   This update for neomutt fixes the following issues:

   Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.

     * Security
       - imap: close connection on all failures
     * Features
       - alias: add function to Alias/Query dialogs
       - config: add validators for {imap,smtp,pop}_authenticators       - config: warn when signature file is missing or not readable
       - smtp: support for native SMTP LOGIN auth mech
       - notmuch: show originating folder in index
     * Bug Fixes
       - sidebar: prevent the divider colour bleeding out
       - sidebar: fix 
       - notmuch: fix query for current email
       - restore shutdown-hook functionality
       - crash in reply-to
       - user-after-free in folder-hook
       - fix some leaks
       - fix application of limits to modified mailboxes
       - write Date header when postponing
     * Translations
       - 100% Lithuanian
       - 100% Czech
       - 70% Turkish
     * Docs
       - Document that $sort_alias affects the query menu
     * Build
       - improve ASAN flags
       - add SASL and S/MIME to --everything
       - fix contrib (un)install
     * Code
       - my_hdr compose screen notifications
       - add contracts to the MXAPI
       - maildir refactoring
       - further reduce the use of global variables
     * Upstream
       - Add $count_alternatives to count attachments inside alternatives
   - Changes from 20200925
     * Features
       - Compose: display user-defined headers       - Address Book / Query: live sorting
       - Address Book / Query: patterns for searching
       - Config: Add '+=' and '-=' operators for String Lists
       - Config: Add '+=' operator for Strings
       - Allow postfix query ':setenv NAME?' for env vars     * Bug Fixes
       - Fix crash when searching with invalid regexes
       - Compose: Prevent infinite loop of send2-hooks
       - Fix sidebar on new/removed mailboxes
       - Restore indentation for named mailboxes
       - Prevent half-parsing an alias
       - Remove folder creation prompt for POP path
       - Show error if $message_cachedir doesn't point to a valid directory
       - Fix tracking LastDir in case of IMAP paths with Unicode characters       - Make sure all mail gets applied the index limit
       - Add warnings to -Q query CLI option
       - Fix index tracking functionality
     * Changed Config
       - Add $compose_show_user_headers (yes)
     * Translations
       - 100% Czech
       - 100% Lithuanian
       - Split up usage strings
     * Build
       - Run shellcheck on hcachever.sh
       - Add the Address Sanitizer
       - Move compose files to lib under compose/
       - Move address config into libaddress
       - Update to latest acutest - fixes a memory leak in the unit tests
     * Code
       - Implement ARRAY API
       - Deglobalised the Config Sort functions
       - Refactor the Sidebar to be Event-Driven
       - Refactor the Color Event
       - Refactor the Commands list
       - Make ctx_update_tables private
       - Reduce the scope/deps of some Validator functions
       - Use the Email's IMAP UID instead of an increasing number as index
       - debug: log window focus
   - Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch. No
     longer needed.

   - Update to 20200821:
     * Bug Fixes
       - fix maildir flag generation
       - fix query notmuch if file is missing
       - notmuch: don't abort sync on error
       - fix type checking for send config variables
     * Changed Config
       - $sidebar_format - Use %D rather than %B for named mailboxes
     * Translations
       - 96% Lithuanian
       - 90% Polish
   - fix(sidebar): abbreviate/shorten what user sees

   - Fix sidebar mailbox name display problem.

   - Update to 20200814:
     * Notes
       - Add one-liner docs to config items See: neomutt -O -Q smart_wrap
       - Remove the built-in editor A large unused and unusable feature
     * Security
       - Add mitigation against DoS from thousands of parts boo#1179113
     * Features
       - Allow index-style searching in postpone menu
       - Open NeoMutt using a mailbox name
       - Add cd command to change the current working directory
       - Add tab-completion menu for patterns
       - Allow renaming existing mailboxes
       - Check for missing attachments in alternative parts
       - Add one-liner docs to config items
     * Bug Fixes
       - Fix logic in checking an empty From address
       - Fix Imap crash in cmd_parse_expunge()
       - Fix setting attributes with S-Lang
       - Fix: redrawing of $pager_index_lines
       - Fix progress percentage for syncing large mboxes
       - Fix sidebar drawing in presence of indentation + named mailboxes
       - Fix retrieval of drafts when "postponed" is not in the mailboxes list
       - Do not add comments to address group terminators       - Fix alias sorting for degenerate addresses
       - Fix attaching emails
       - Create directories for nonexistent file hcache case
       - Avoid creating mailboxes for failed subscribes
       - Fix crash if rejecting cert
     * Changed Config
       - Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed
       - Change default of $crypt_protected_headers_subject to "..."
       - Add default keybindings to history-up/down
     * Translations
       - 100% Czech
       - 100% Spanish
     * Build
       - Allow building against Lua 5.4
       - Fix when sqlite3.h is missing
     * Docs
       - Add a brief section on stty to the manual
       - Update section "Terminal Keybindings" in the manual
       - Clarify PGP Pseudo-header S duration
     * Code
       - Clean up String API
       - Make the Sidebar more independent
       - De-centralise the Config Variables
       - Refactor dialogs
       - Refactor: Help Bar generation
       - Make more APIs Context-free
       - Adjust the edata use in Maildir and Notmuch
       - Window refactoring
       - Convert libsend to use Config functions
       - Refactor notifications to reduce noise
       - Convert Keymaps to use STAILQ
       - Track currently selected email by msgid
       - Config: no backing global variable
       - Add events for key binding
     * Upstream
       - Fix imap postponed mailbox use-after-free error
       - Speed up thread sort when many long threads exist
       - Fix ~v tagging when switching to non-threaded sorting
       - Add message/global to the list of known "message" types
       - Print progress meter when copying/saving tagged messages
       - Remove ansi formatting from autoview generated quoted replies
       - Change postpone mode to write Date header too
       - Unstuff format=flowed

   - Update to 20200626:
     * Bug Fixes
       - Avoid opening the same hcache file twice
       - Re-open Mailbox after folder-hook
       - Fix the matching of the spoolfile Mailbox
       - Fix link-thread to link all tagged emails
     * Changed Config
       - Add $tunnel_is_secure config, defaulting to true
     * Upstream
       - Don't check IMAP PREAUTH encryption if $tunnel is in use
       - Add recommendation to use $ssl_force_tls
   - Changes from 20200501:
     * Security
       - Abort GnuTLS certificate check if a cert in the chain is rejected
         CVE-2020-14154 boo#1172906
       - TLS: clear data after a starttls acknowledgement CVE-2020-14954
         boo#1173197
       - Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093
         boo#1172935
     * Features
       - add config operations +=/-= for number,long
       - Address book has a comment field
       - Query menu has a comment field
     * Contrib sample.neomuttrc-starter: Do not echo prompted password
     * Bug Fixes
       - make "news://" and "nntp://" schemes interchangeable
       - Fix CRLF to LF conversion in base64 decoding
       - Double comma in query
       - compose: fix redraw after history
       - Crash inside empty query menu
       - mmdf: fix creating new mailbox
       - mh: fix creating new mailbox
       - mbox: error out when an mbox/mmdf is a pipe
       - Fix list-reply by correct parsing of List-Post headers       - Decode references according to RFC2047
       - fix tagged message count
       - hcache: fix keylen not being considered when building the full key
       - sidebar: fix path comparison
       - Don't mess with the original pattern when running IMAP searches
       - Handle IMAP "NO" resps by issuing a msg instead of failing badly
       - imap: use the connection delimiter if provided
       - Memory leaks
     * Changed Config
       - $alias_format default changed to include %c comment
       - $query_format default changed to include %e extra info
     * Translations
       - 100% Lithuanian
       - 84% French
       - Log the translation in use
     * Docs
       - Add missing commands unbind, unmacro to man pages
     * Build
       - Check size of long using LONG_MAX instead of __WORDSIZE
       - Allow ./configure to not record cflags
       - fix out-of-tree build
       - Avoid locating gdbm symbols in qdbm library
     * Code
       - Refactor unsafe TAILQ returns
       - add window notifications
       - flip negative ifs
       - Update to latest acutest.h
       - test: add store tests
       - test: add compression tests
       - graphviz: email
       - make more opcode info available
       - refactor: main_change_folder()
       - refactor: mutt_mailbox_next()
       - refactor: generate_body()
       - compress: add {min,max}_level to ComprOps
       - emphasise empty loops: "// do nothing"
       - prex: convert is_from() to use regex
       - Refactor IMAP's search routines

   - Update to 20200501:
     * Bug Fixes
       - Make sure buffers are initialized on error
       - fix(sidebar): use abbreviated path if possible
     * Translations
       - 100% Lithuanian
     * Docs
       - make header cache config more explicit
   - Changes from 20200424:
     * Bug Fixes
       - Fix history corruption
       - Handle pretty much anything in a URL query part
       - Correctly parse escaped characters in header phrases
       - Fix crash reading received header
       - Fix sidebar indentation
       - Avoid crashing on failure to parse an IMAP mailbox
       - Maildir: handle deleted emails correctly
       - Ensure OP_NULL is always first
     * Translations
       - 100% Czech
     * Build
       - cirrus: enable pcre2, make pkgconf a special case
       - Fix finding pcre2 w/o pkgconf
       - build: tdb.h needs size_t, bring it in with stddef.h
   - Changes from 20200417:
     * Features
       - Fluid layout for Compose Screen, see: vimeo.com/407231157
       - Trivial Database (TDB) header cache backend
       - RocksDB header cache backend
       - Add  and  functions
     * Bug Fixes
       - add error for CLI empty emails
       - Allow spaces and square brackets in paths
       - browser: fix hidden mailboxes
       - fix initial email display
       - notmuch: fix time window search.
       - fix resize bugs
       - notmuch: fix entire-thread: update current email pointer
       - sidebar: support indenting and shortening of names
       - Handle variables inside backticks in sidebar_whitelist
       - browser: fix mask regex error reporting
     * Translations
       - 100% Lithuanian
       - 99% Chinese (simplified)
     * Build
       - Use regexes for common parsing tasks: urls, dates
       - Add configure option --pcre2 -- Enable PCRE2 regular expressions
       - Add configure option --tdb -- Use TDB for the header cache
       - Add configure option --rocksdb -- Use RocksDB for the header cache
       - Create libstore (key/value backends)
       - Update to latest autosetup
       - Update to latest acutest.h
       - Rename doc/ directory to docs/
       - make: fix location of .Po dependency files
       - Change libcompress to be more universal
       - Fix test fails on ??32
       - fix uidvalidity to unsigned 32-bit int
     * Code
       - Increase test coverage
       - Fix memory leaks
       - Fix null checks
     * Upstream
       - Buffer refactoring
       - Fix use-after-free in mutt_str_replace()
       - Clarify PGP Pseudo-header S duration
       - Try to respect MUTT_QUIET for IMAP contexts too
       - Limit recurse depth when parsing mime messages

   - Update to 20200320:
     * Bug Fixes
       - Fix COLUMNS env var
       - Fix sync after delete
       - Fix crash in notmuch
       - Fix sidebar indent
       - Fix emptying trash
       - Fix command line sending
       - Fix reading large address lists
       - Resolve symlinks only when necessary
     * Translations
       - lithuania 100% Lithuanian
       - es 96% Spanish
     * Docs
       - Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output
       - Fix case of GPGME and SQLite
     * Build
       - Create libcompress (lz4, zlib, zstd)
       - Create libhistory
       - Create libbcache
       - Move zstrm to libconn
     * Code
       - Add more test coverage
       - Rename magic to type
       - Use mutt_file_fopen() on config variables
       - Change commands to use intptr_t for data

   - Update to 20200313:
     * Window layout
       - Sidebar is only visible when it's usable.
     * Features
       - UI: add number of old messages to sidebar_format
       - UI: support ISO 8601 calendar date
       - UI: fix commands that don???t need to have a non-empty mailbox to be
         valid
       - PGP: inform about successful decryption of inline PGP messages
       - PGP: try to infer the signing key from the From address
       - PGP: enable GPGMe by default
       - Notmuch: use query as name for vfolder-from-query
       - IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)
       - Header cache: add support for generic header cache compression
     * Bug Fixes
       - Fix uncollapse_jump
       - Only try to perform entire-thread on maildir/mh mailboxes
       - Fix crash in pager
       - Avoid logging single new lines at the end of header fields
       - Fix listing mailboxes
       - Do not recurse a non-threaded message
       - Fix initial window order
       - Fix leaks on IMAP error paths
       - Notmuch: compose(attach-message): support notmuch backend
       - Fix IMAP flag comparison code
       - Fix $move for IMAP mailboxes
       - Maildir: maildir_mbox_check_stats should only update mailbox stats
         if requested
       - Fix unmailboxes for virtual mailboxes
       - Maildir: sanitize filename before hashing
       - OAuth: if 'login' name isn't available use 'user'
       - Add error message on failed encryption
       - Fix a bunch of crashes
       - Force C locale for email date
       - Abort if run without a terminal
     * Changed Config
       - $crypt_use_gpgme - Now defaults to 'yes' (enabled)
       - $abort_backspace - Hitting backspace against an empty prompt aborts
         the prompt
       - $abort_key - String representation of key to abort prompts
       - $arrow_string - Use an custom string for arrow_cursor
       - $crypt_opportunistic_encrypt_strong_keys - Enable encryption
         only when strong a key is available
       - $header_cache_compress_dictionary - Filepath to dictionary for zstd
         compression
       - $header_cache_compress_level - Level of compression for method
       - $header_cache_compress_method - Enable generic hcache database
         compression
       - $imap_deflate - Compress network traffic
       - $smtp_user - Username for the SMTP server
     * Translations
       - 100% Lithuanian
       - 81% Spanish
       - 78% Russian
     * Build
       - Add libdebug
       - Rename public headers to lib.h
       - Create libcompress for compressed folders code
     * Code
       - Refactor Windows and Dialogs
       - Lots of code tidying
       - Refactor: mutt_addrlist_{search,write}
       - Lots of improvements to the Config code
       - Use Buffers more pervasively
       - Unify API function naming
       - Rename library shared headers       - Refactor libconn gui dependencies
       - Refactor: init.[ch]
       - Refactor config to use subsets
       - Config: add path type
       - Remove backend deps from the connection code
     * Upstream
       - Allow ~b ~B ~h patterns in send2-hook
       - Rename smime oppenc mode parameter to get_keys_by_addr()
       - Add $crypt_opportunistic_encrypt_strong_keys config var
       - Fix crash when polling a closed ssl connection
       - Turn off auto-clear outside of autocrypt initialization
       - Add protected-headers="v1" to Content-Type when protecting headers       - Fix segv in IMAP postponed menu caused by reopen_allow
       - Adding ISO 8601 calendar date
       - Fix $fcc_attach to not prompt in batch mode
       - Convert remaining mutt_encode_path() call to use struct Buffer
       - Fix rendering of replacement_char when Charset_is_utf8
       - Update to latest acutest.h

   - Update to 20191207:
     * Features:
       - compose: draw status bar with highlights
     * Bug Fixes:
       - crash opening notmuch mailbox
       - crash in mutt_autocrypt_ui_recommendation
       - Avoid negative allocation
       - Mbox new mail
       - Setting of DT_MAILBOX type variables from Lua
       - imap: empty cmdbuf before connecting
       - imap: select the mailbox on reconnect
       - compose: fix attach message
     * Build:
       - make files conditional
     * Code:
       - enum-ify log levels
       - fix function prototypes
       - refactor virtual email lookups
       - factor out global Context
   - Changes from 20191129:
     * Features:
       - Add raw mailsize expando (%cr)
     * Bug Fixes:
       - Avoid double question marks in bounce confirmation msg
       - Fix bounce confirmation
       - fix new-mail flags and behaviour
       - fix: browser 
       - fix ssl crash
       - fix move to trash
       - fix flickering
       - Do not check hidden mailboxes for new mail
       - Fix new_mail_command notifications
       - fix crash in examine_mailboxes()
       - fix crash in mutt_sort_threads()
       - fix: crash after sending
       - Fix crash in tunnel's conn_close
       - fix fcc for deep dirs       - imap: fix crash when new mail arrives
       - fix colour 'quoted9'
       - quieten messages on exit
       - fix: crash after failed mbox_check
       - browser: default to a file/dir view when attaching a file
     * Changed Config:
       - Change $write_bcc to default off
     * Docs:
       - Add a bit more documentation about sending
       - Clarify $write_bcc documentation.
       - Update documentation for raw size expando
       - docbook: set generate.consistent.ids to make generated html
         reproducible
     * Build:
       - fix build/tests for 32-bit arches
       - tests: fix test that would fail soon
       - tests: fix context for failing idna tests

   - Update to 20191111: Bug fixes:
     * browser: fix directory view
     * fix crash in mutt_extract_token()
     * force a screen refresh
     * fix crash sending message from command line
     * notmuch: use nm_default_uri if no mailbox data
     * fix forward attachments
     * fix: vfprintf undefined behaviour in body_handler
     * Fix relative symlink resolution
     * fix: trash to non-existent file/dir
     * fix re-opening of mbox Mailboxes
     * close logging as late as possible
     * log unknown mailboxes
     * fix crash in command line postpone
     * fix memory leaks
     * fix icommand parsing
     * fix new mail interaction with mail_check_recent

   This update was imported from the openSUSE:Leap:15.2:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2020-2158=1



Package List:

   - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):

      neomutt-20201120-bp152.2.3.1

   - openSUSE Backports SLE-15-SP2 (noarch):

      neomutt-doc-20201120-bp152.2.3.1
      neomutt-lang-20201120-bp152.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-14093.html
   https://www.suse.com/security/cve/CVE-2020-14154.html
   https://www.suse.com/security/cve/CVE-2020-14954.html
   https://www.suse.com/security/cve/CVE-2020-28896.html
   https://bugzilla.suse.com/1172906
   https://bugzilla.suse.com/1172935
   https://bugzilla.suse.com/1173197
   https://bugzilla.suse.com/1179035
   https://bugzilla.suse.com/1179113
--===============5317241724046297795=

openSUSE: 2020:2158-1 moderate: neomutt

December 4, 2020

Description

This update for neomutt fixes the following issues: Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896. * Security - imap: close connection on all failures * Features - alias: add function to Alias/Query dialogs - config: add validators for {imap,smtp,pop}_authenticators - config: warn when signature file is missing or not readable - smtp: support for native SMTP LOGIN auth mech - notmuch: show originating folder in index * Bug Fixes - sidebar: prevent the divider colour bleeding out - sidebar: fix - notmuch: fix query for current email - restore shutdown-hook functionality - crash in reply-to - user-after-free in folder-hook - fix some leaks - fix application of limits to modified mailboxes - write Date header when postponing * Translations - 100% Lithuanian - 100% Czech - 70% Turkish * Docs - Document that $sort_alias affects the query menu * Build - improve ASAN flags - add SASL and S/MIME to --everything - fix contrib (un)install * Code - my_hdr compose screen notifications - add contracts to the MXAPI - maildir refactoring - further reduce the use of global variables * Upstream - Add $count_alternatives to count attachments inside alternatives - Changes from 20200925 * Features - Compose: display user-defined headers - Address Book / Query: live sorting - Address Book / Query: patterns for searching - Config: Add '+=' and '-=' operators for String Lists - Config: Add '+=' operator for Strings - Allow postfix query ':setenv NAME?' for env vars * Bug Fixes - Fix crash when searching with invalid regexes - Compose: Prevent infinite loop of send2-hooks - Fix sidebar on new/removed mailboxes - Restore indentation for named mailboxes - Prevent half-parsing an alias - Remove folder creation prompt for POP path - Show error if $message_cachedir doesn't point to a valid directory - Fix tracking LastDir in case of IMAP paths with Unicode characters - Make sure all mail gets applied the index limit - Add warnings to -Q query CLI option - Fix index tracking functionality * Changed Config - Add $compose_show_user_headers (yes) * Translations - 100% Czech - 100% Lithuanian - Split up usage strings * Build - Run shellcheck on hcachever.sh - Add the Address Sanitizer - Move compose files to lib under compose/ - Move address config into libaddress - Update to latest acutest - fixes a memory leak in the unit tests * Code - Implement ARRAY API - Deglobalised the Config Sort functions - Refactor the Sidebar to be Event-Driven - Refactor the Color Event - Refactor the Commands list - Make ctx_update_tables private - Reduce the scope/deps of some Validator functions - Use the Email's IMAP UID instead of an increasing number as index - debug: log window focus - Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch. No longer needed. - Update to 20200821: * Bug Fixes - fix maildir flag generation - fix query notmuch if file is missing - notmuch: don't abort sync on error - fix type checking for send config variables * Changed Config - $sidebar_format - Use %D rather than %B for named mailboxes * Translations - 96% Lithuanian - 90% Polish - fix(sidebar): abbreviate/shorten what user sees - Fix sidebar mailbox name display problem. - Update to 20200814: * Notes - Add one-liner docs to config items See: neomutt -O -Q smart_wrap - Remove the built-in editor A large unused and unusable feature * Security - Add mitigation against DoS from thousands of parts boo#1179113 * Features - Allow index-style searching in postpone menu - Open NeoMutt using a mailbox name - Add cd command to change the current working directory - Add tab-completion menu for patterns - Allow renaming existing mailboxes - Check for missing attachments in alternative parts - Add one-liner docs to config items * Bug Fixes - Fix logic in checking an empty From address - Fix Imap crash in cmd_parse_expunge() - Fix setting attributes with S-Lang - Fix: redrawing of $pager_index_lines - Fix progress percentage for syncing large mboxes - Fix sidebar drawing in presence of indentation + named mailboxes - Fix retrieval of drafts when "postponed" is not in the mailboxes list - Do not add comments to address group terminators - Fix alias sorting for degenerate addresses - Fix attaching emails - Create directories for nonexistent file hcache case - Avoid creating mailboxes for failed subscribes - Fix crash if rejecting cert * Changed Config - Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed - Change default of $crypt_protected_headers_subject to "..." - Add default keybindings to history-up/down * Translations - 100% Czech - 100% Spanish * Build - Allow building against Lua 5.4 - Fix when sqlite3.h is missing * Docs - Add a brief section on stty to the manual - Update section "Terminal Keybindings" in the manual - Clarify PGP Pseudo-header S duration * Code - Clean up String API - Make the Sidebar more independent - De-centralise the Config Variables - Refactor dialogs - Refactor: Help Bar generation - Make more APIs Context-free - Adjust the edata use in Maildir and Notmuch - Window refactoring - Convert libsend to use Config functions - Refactor notifications to reduce noise - Convert Keymaps to use STAILQ - Track currently selected email by msgid - Config: no backing global variable - Add events for key binding * Upstream - Fix imap postponed mailbox use-after-free error - Speed up thread sort when many long threads exist - Fix ~v tagging when switching to non-threaded sorting - Add message/global to the list of known "message" types - Print progress meter when copying/saving tagged messages - Remove ansi formatting from autoview generated quoted replies - Change postpone mode to write Date header too - Unstuff format=flowed - Update to 20200626: * Bug Fixes - Avoid opening the same hcache file twice - Re-open Mailbox after folder-hook - Fix the matching of the spoolfile Mailbox - Fix link-thread to link all tagged emails * Changed Config - Add $tunnel_is_secure config, defaulting to true * Upstream - Don't check IMAP PREAUTH encryption if $tunnel is in use - Add recommendation to use $ssl_force_tls - Changes from 20200501: * Security - Abort GnuTLS certificate check if a cert in the chain is rejected CVE-2020-14154 boo#1172906 - TLS: clear data after a starttls acknowledgement CVE-2020-14954 boo#1173197 - Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093 boo#1172935 * Features - add config operations +=/-= for number,long - Address book has a comment field - Query menu has a comment field * Contrib sample.neomuttrc-starter: Do not echo prompted password * Bug Fixes - make "news://" and "nntp://" schemes interchangeable - Fix CRLF to LF conversion in base64 decoding - Double comma in query - compose: fix redraw after history - Crash inside empty query menu - mmdf: fix creating new mailbox - mh: fix creating new mailbox - mbox: error out when an mbox/mmdf is a pipe - Fix list-reply by correct parsing of List-Post headers - Decode references according to RFC2047 - fix tagged message count - hcache: fix keylen not being considered when building the full key - sidebar: fix path comparison - Don't mess with the original pattern when running IMAP searches - Handle IMAP "NO" resps by issuing a msg instead of failing badly - imap: use the connection delimiter if provided - Memory leaks * Changed Config - $alias_format default changed to include %c comment - $query_format default changed to include %e extra info * Translations - 100% Lithuanian - 84% French - Log the translation in use * Docs - Add missing commands unbind, unmacro to man pages * Build - Check size of long using LONG_MAX instead of __WORDSIZE - Allow ./configure to not record cflags - fix out-of-tree build - Avoid locating gdbm symbols in qdbm library * Code - Refactor unsafe TAILQ returns - add window notifications - flip negative ifs - Update to latest acutest.h - test: add store tests - test: add compression tests - graphviz: email - make more opcode info available - refactor: main_change_folder() - refactor: mutt_mailbox_next() - refactor: generate_body() - compress: add {min,max}_level to ComprOps - emphasise empty loops: "// do nothing" - prex: convert is_from() to use regex - Refactor IMAP's search routines - Update to 20200501: * Bug Fixes - Make sure buffers are initialized on error - fix(sidebar): use abbreviated path if possible * Translations - 100% Lithuanian * Docs - make header cache config more explicit - Changes from 20200424: * Bug Fixes - Fix history corruption - Handle pretty much anything in a URL query part - Correctly parse escaped characters in header phrases - Fix crash reading received header - Fix sidebar indentation - Avoid crashing on failure to parse an IMAP mailbox - Maildir: handle deleted emails correctly - Ensure OP_NULL is always first * Translations - 100% Czech * Build - cirrus: enable pcre2, make pkgconf a special case - Fix finding pcre2 w/o pkgconf - build: tdb.h needs size_t, bring it in with stddef.h - Changes from 20200417: * Features - Fluid layout for Compose Screen, see: vimeo.com/407231157 - Trivial Database (TDB) header cache backend - RocksDB header cache backend - Add and functions * Bug Fixes - add error for CLI empty emails - Allow spaces and square brackets in paths - browser: fix hidden mailboxes - fix initial email display - notmuch: fix time window search. - fix resize bugs - notmuch: fix entire-thread: update current email pointer - sidebar: support indenting and shortening of names - Handle variables inside backticks in sidebar_whitelist - browser: fix mask regex error reporting * Translations - 100% Lithuanian - 99% Chinese (simplified) * Build - Use regexes for common parsing tasks: urls, dates - Add configure option --pcre2 -- Enable PCRE2 regular expressions - Add configure option --tdb -- Use TDB for the header cache - Add configure option --rocksdb -- Use RocksDB for the header cache - Create libstore (key/value backends) - Update to latest autosetup - Update to latest acutest.h - Rename doc/ directory to docs/ - make: fix location of .Po dependency files - Change libcompress to be more universal - Fix test fails on ??32 - fix uidvalidity to unsigned 32-bit int * Code - Increase test coverage - Fix memory leaks - Fix null checks * Upstream - Buffer refactoring - Fix use-after-free in mutt_str_replace() - Clarify PGP Pseudo-header S duration - Try to respect MUTT_QUIET for IMAP contexts too - Limit recurse depth when parsing mime messages - Update to 20200320: * Bug Fixes - Fix COLUMNS env var - Fix sync after delete - Fix crash in notmuch - Fix sidebar indent - Fix emptying trash - Fix command line sending - Fix reading large address lists - Resolve symlinks only when necessary * Translations - lithuania 100% Lithuanian - es 96% Spanish * Docs - Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output - Fix case of GPGME and SQLite * Build - Create libcompress (lz4, zlib, zstd) - Create libhistory - Create libbcache - Move zstrm to libconn * Code - Add more test coverage - Rename magic to type - Use mutt_file_fopen() on config variables - Change commands to use intptr_t for data - Update to 20200313: * Window layout - Sidebar is only visible when it's usable. * Features - UI: add number of old messages to sidebar_format - UI: support ISO 8601 calendar date - UI: fix commands that don???t need to have a non-empty mailbox to be valid - PGP: inform about successful decryption of inline PGP messages - PGP: try to infer the signing key from the From address - PGP: enable GPGMe by default - Notmuch: use query as name for vfolder-from-query - IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978) - Header cache: add support for generic header cache compression * Bug Fixes - Fix uncollapse_jump - Only try to perform entire-thread on maildir/mh mailboxes - Fix crash in pager - Avoid logging single new lines at the end of header fields - Fix listing mailboxes - Do not recurse a non-threaded message - Fix initial window order - Fix leaks on IMAP error paths - Notmuch: compose(attach-message): support notmuch backend - Fix IMAP flag comparison code - Fix $move for IMAP mailboxes - Maildir: maildir_mbox_check_stats should only update mailbox stats if requested - Fix unmailboxes for virtual mailboxes - Maildir: sanitize filename before hashing - OAuth: if 'login' name isn't available use 'user' - Add error message on failed encryption - Fix a bunch of crashes - Force C locale for email date - Abort if run without a terminal * Changed Config - $crypt_use_gpgme - Now defaults to 'yes' (enabled) - $abort_backspace - Hitting backspace against an empty prompt aborts the prompt - $abort_key - String representation of key to abort prompts - $arrow_string - Use an custom string for arrow_cursor - $crypt_opportunistic_encrypt_strong_keys - Enable encryption only when strong a key is available - $header_cache_compress_dictionary - Filepath to dictionary for zstd compression - $header_cache_compress_level - Level of compression for method - $header_cache_compress_method - Enable generic hcache database compression - $imap_deflate - Compress network traffic - $smtp_user - Username for the SMTP server * Translations - 100% Lithuanian - 81% Spanish - 78% Russian * Build - Add libdebug - Rename public headers to lib.h - Create libcompress for compressed folders code * Code - Refactor Windows and Dialogs - Lots of code tidying - Refactor: mutt_addrlist_{search,write} - Lots of improvements to the Config code - Use Buffers more pervasively - Unify API function naming - Rename library shared headers - Refactor libconn gui dependencies - Refactor: init.[ch] - Refactor config to use subsets - Config: add path type - Remove backend deps from the connection code * Upstream - Allow ~b ~B ~h patterns in send2-hook - Rename smime oppenc mode parameter to get_keys_by_addr() - Add $crypt_opportunistic_encrypt_strong_keys config var - Fix crash when polling a closed ssl connection - Turn off auto-clear outside of autocrypt initialization - Add protected-headers="v1" to Content-Type when protecting headers - Fix segv in IMAP postponed menu caused by reopen_allow - Adding ISO 8601 calendar date - Fix $fcc_attach to not prompt in batch mode - Convert remaining mutt_encode_path() call to use struct Buffer - Fix rendering of replacement_char when Charset_is_utf8 - Update to latest acutest.h - Update to 20191207: * Features: - compose: draw status bar with highlights * Bug Fixes: - crash opening notmuch mailbox - crash in mutt_autocrypt_ui_recommendation - Avoid negative allocation - Mbox new mail - Setting of DT_MAILBOX type variables from Lua - imap: empty cmdbuf before connecting - imap: select the mailbox on reconnect - compose: fix attach message * Build: - make files conditional * Code: - enum-ify log levels - fix function prototypes - refactor virtual email lookups - factor out global Context - Changes from 20191129: * Features: - Add raw mailsize expando (%cr) * Bug Fixes: - Avoid double question marks in bounce confirmation msg - Fix bounce confirmation - fix new-mail flags and behaviour - fix: browser - fix ssl crash - fix move to trash - fix flickering - Do not check hidden mailboxes for new mail - Fix new_mail_command notifications - fix crash in examine_mailboxes() - fix crash in mutt_sort_threads() - fix: crash after sending - Fix crash in tunnel's conn_close - fix fcc for deep dirs - imap: fix crash when new mail arrives - fix colour 'quoted9' - quieten messages on exit - fix: crash after failed mbox_check - browser: default to a file/dir view when attaching a file * Changed Config: - Change $write_bcc to default off * Docs: - Add a bit more documentation about sending - Clarify $write_bcc documentation. - Update documentation for raw size expando - docbook: set generate.consistent.ids to make generated html reproducible * Build: - fix build/tests for 32-bit arches - tests: fix test that would fail soon - tests: fix context for failing idna tests - Update to 20191111: Bug fixes: * browser: fix directory view * fix crash in mutt_extract_token() * force a screen refresh * fix crash sending message from command line * notmuch: use nm_default_uri if no mailbox data * fix forward attachments * fix: vfprintf undefined behaviour in body_handler * Fix relative symlink resolution * fix: trash to non-existent file/dir * fix re-opening of mbox Mailboxes * close logging as late as possible * log unknown mailboxes * fix crash in command line postpone * fix memory leaks * fix icommand parsing * fix new mail interaction with mail_check_recent This update was imported from the openSUSE:Leap:15.2:Update update project.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2020-2158=1


Package List

- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64): neomutt-20201120-bp152.2.3.1 - openSUSE Backports SLE-15-SP2 (noarch): neomutt-doc-20201120-bp152.2.3.1 neomutt-lang-20201120-bp152.2.3.1


References

https://www.suse.com/security/cve/CVE-2020-14093.html https://www.suse.com/security/cve/CVE-2020-14154.html https://www.suse.com/security/cve/CVE-2020-14954.html https://www.suse.com/security/cve/CVE-2020-28896.html https://bugzilla.suse.com/1172906 https://bugzilla.suse.com/1172935 https://bugzilla.suse.com/1173197 https://bugzilla.suse.com/1179035 https://bugzilla.suse.com/1179113--===============5317241724046297795=


Severity
Announcement ID: openSUSE-SU-2020:2158-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP2 An update that solves four vulnerabilities and has one errata is now available.

Related News