--===============5317241724046297795==

Announcement ID:    openSUSE-SU-2020:2158-1
Rating:             moderate
References:         #1172906 #1172935 #1173197 #1179035 #1179113 
                    
Cross-References:   CVE-2020-14093 CVE-2020-14154 CVE-2020-14954
                    CVE-2020-28896
Affected Products:
                    openSUSE Backports SLE-15-SP2
______________________________________________________________________________

   An update that solves four vulnerabilities and has one
   errata is now available.

Description:

   This update for neomutt fixes the following issues:

   Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.

     * Security
       - imap: close connection on all failures
     * Features
       - alias: add function to Alias/Query dialogs
       - config: add validators for {imap,smtp,pop}_authenticators
       - config: warn when signature file is missing or not readable
       - smtp: support for native SMTP LOGIN auth mech
       - notmuch: show originating folder in index
     * Bug Fixes
       - sidebar: prevent the divider colour bleeding out
       - sidebar: fix 
       - notmuch: fix query for current email
       - restore shutdown-hook functionality
       - crash in reply-to
       - user-after-free in folder-hook
       - fix some leaks
       - fix application of limits to modified mailboxes
       - write Date header when postponing
     * Translations
       - 100% Lithuanian
       - 100% Czech
       - 70% Turkish
     * Docs
       - Document that $sort_alias affects the query menu
     * Build
       - improve ASAN flags
       - add SASL and S/MIME to --everything
       - fix contrib (un)install
     * Code
       - my_hdr compose screen notifications
       - add contracts to the MXAPI
       - maildir refactoring
       - further reduce the use of global variables
     * Upstream
       - Add $count_alternatives to count attachments inside alternatives
   - Changes from 20200925
     * Features
       - Compose: display user-defined headers
       - Address Book / Query: live sorting
       - Address Book / Query: patterns for searching
       - Config: Add '+=' and '-=' operators for String Lists
       - Config: Add '+=' operator for Strings
       - Allow postfix query ':setenv NAME?' for env vars
     * Bug Fixes
       - Fix crash when searching with invalid regexes
       - Compose: Prevent infinite loop of send2-hooks
       - Fix sidebar on new/removed mailboxes
       - Restore indentation for named mailboxes
       - Prevent half-parsing an alias
       - Remove folder creation prompt for POP path
       - Show error if $message_cachedir doesn't point to a valid directory
       - Fix tracking LastDir in case of IMAP paths with Unicode characters
       - Make sure all mail gets applied the index limit
       - Add warnings to -Q query CLI option
       - Fix index tracking functionality
     * Changed Config
       - Add $compose_show_user_headers (yes)
     * Translations
       - 100% Czech
       - 100% Lithuanian
       - Split up usage strings
     * Build
       - Run shellcheck on hcachever.sh
       - Add the Address Sanitizer
       - Move compose files to lib under compose/
       - Move address config into libaddress
       - Update to latest acutest - fixes a memory leak in the unit tests
     * Code
       - Implement ARRAY API
       - Deglobalised the Config Sort functions
       - Refactor the Sidebar to be Event-Driven
       - Refactor the Color Event
       - Refactor the Commands list
       - Make ctx_update_tables private
       - Reduce the scope/deps of some Validator functions
       - Use the Email's IMAP UID instead of an increasing number as index
       - debug: log window focus
   - Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch. No
     longer needed.

   - Update to 20200821:
     * Bug Fixes
       - fix maildir flag generation
       - fix query notmuch if file is missing
       - notmuch: don't abort sync on error
       - fix type checking for send config variables
     * Changed Config
       - $sidebar_format - Use %D rather than %B for named mailboxes
     * Translations
       - 96% Lithuanian
       - 90% Polish
   - fix(sidebar): abbreviate/shorten what user sees

   - Fix sidebar mailbox name display problem.

   - Update to 20200814:
     * Notes
       - Add one-liner docs to config items See: neomutt -O -Q smart_wrap
       - Remove the built-in editor A large unused and unusable feature
     * Security
       - Add mitigation against DoS from thousands of parts boo#1179113
     * Features
       - Allow index-style searching in postpone menu
       - Open NeoMutt using a mailbox name
       - Add cd command to change the current working directory
       - Add tab-completion menu for patterns
       - Allow renaming existing mailboxes
       - Check for missing attachments in alternative parts
       - Add one-liner docs to config items
     * Bug Fixes
       - Fix logic in checking an empty From address
       - Fix Imap crash in cmd_parse_expunge()
       - Fix setting attributes with S-Lang
       - Fix: redrawing of $pager_index_lines
       - Fix progress percentage for syncing large mboxes
       - Fix sidebar drawing in presence of indentation + named mailboxes
       - Fix retrieval of drafts when "postponed" is not in the mailboxes list
       - Do not add comments to address group terminators
       - Fix alias sorting for degenerate addresses
       - Fix attaching emails
       - Create directories for nonexistent file hcache case
       - Avoid creating mailboxes for failed subscribes
       - Fix crash if rejecting cert
     * Changed Config
       - Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed
       - Change default of $crypt_protected_headers_subject to "..."
       - Add default keybindings to history-up/down
     * Translations
       - 100% Czech
       - 100% Spanish
     * Build
       - Allow building against Lua 5.4
       - Fix when sqlite3.h is missing
     * Docs
       - Add a brief section on stty to the manual
       - Update section "Terminal Keybindings" in the manual
       - Clarify PGP Pseudo-header S duration
     * Code
       - Clean up String API
       - Make the Sidebar more independent
       - De-centralise the Config Variables
       - Refactor dialogs
       - Refactor: Help Bar generation
       - Make more APIs Context-free
       - Adjust the edata use in Maildir and Notmuch
       - Window refactoring
       - Convert libsend to use Config functions
       - Refactor notifications to reduce noise
       - Convert Keymaps to use STAILQ
       - Track currently selected email by msgid
       - Config: no backing global variable
       - Add events for key binding
     * Upstream
       - Fix imap postponed mailbox use-after-free error
       - Speed up thread sort when many long threads exist
       - Fix ~v tagging when switching to non-threaded sorting
       - Add message/global to the list of known "message" types
       - Print progress meter when copying/saving tagged messages
       - Remove ansi formatting from autoview generated quoted replies
       - Change postpone mode to write Date header too
       - Unstuff format=flowed

   - Update to 20200626:
     * Bug Fixes
       - Avoid opening the same hcache file twice
       - Re-open Mailbox after folder-hook
       - Fix the matching of the spoolfile Mailbox
       - Fix link-thread to link all tagged emails
     * Changed Config
       - Add $tunnel_is_secure config, defaulting to true
     * Upstream
       - Don't check IMAP PREAUTH encryption if $tunnel is in use
       - Add recommendation to use $ssl_force_tls
   - Changes from 20200501:
     * Security
       - Abort GnuTLS certificate check if a cert in the chain is rejected
         CVE-2020-14154 boo#1172906
       - TLS: clear data after a starttls acknowledgement CVE-2020-14954
         boo#1173197
       - Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093
         boo#1172935
     * Features
       - add config operations +=/-= for number,long
       - Address book has a comment field
       - Query menu has a comment field
     * Contrib sample.neomuttrc-starter: Do not echo prompted password
     * Bug Fixes
       - make "news://" and "nntp://" schemes interchangeable
       - Fix CRLF to LF conversion in base64 decoding
       - Double comma in query
       - compose: fix redraw after history
       - Crash inside empty query menu
       - mmdf: fix creating new mailbox
       - mh: fix creating new mailbox
       - mbox: error out when an mbox/mmdf is a pipe
       - Fix list-reply by correct parsing of List-Post headers
       - Decode references according to RFC2047
       - fix tagged message count
       - hcache: fix keylen not being considered when building the full key
       - sidebar: fix path comparison
       - Don't mess with the original pattern when running IMAP searches
       - Handle IMAP "NO" resps by issuing a msg instead of failing badly
       - imap: use the connection delimiter if provided
       - Memory leaks
     * Changed Config
       - $alias_format default changed to include %c comment
       - $query_format default changed to include %e extra info
     * Translations
       - 100% Lithuanian
       - 84% French
       - Log the translation in use
     * Docs
       - Add missing commands unbind, unmacro to man pages
     * Build
       - Check size of long using LONG_MAX instead of __WORDSIZE
       - Allow ./configure to not record cflags
       - fix out-of-tree build
       - Avoid locating gdbm symbols in qdbm library
     * Code
       - Refactor unsafe TAILQ returns
       - add window notifications
       - flip negative ifs
       - Update to latest acutest.h
       - test: add store tests
       - test: add compression tests
       - graphviz: email
       - make more opcode info available
       - refactor: main_change_folder()
       - refactor: mutt_mailbox_next()
       - refactor: generate_body()
       - compress: add {min,max}_level to ComprOps
       - emphasise empty loops: "// do nothing"
       - prex: convert is_from() to use regex
       - Refactor IMAP's search routines

   - Update to 20200501:
     * Bug Fixes
       - Make sure buffers are initialized on error
       - fix(sidebar): use abbreviated path if possible
     * Translations
       - 100% Lithuanian
     * Docs
       - make header cache config more explicit
   - Changes from 20200424:
     * Bug Fixes
       - Fix history corruption
       - Handle pretty much anything in a URL query part
       - Correctly parse escaped characters in header phrases
       - Fix crash reading received header
       - Fix sidebar indentation
       - Avoid crashing on failure to parse an IMAP mailbox
       - Maildir: handle deleted emails correctly
       - Ensure OP_NULL is always first
     * Translations
       - 100% Czech
     * Build
       - cirrus: enable pcre2, make pkgconf a special case
       - Fix finding pcre2 w/o pkgconf
       - build: tdb.h needs size_t, bring it in with stddef.h
   - Changes from 20200417:
     * Features
       - Fluid layout for Compose Screen, see: vimeo.com/407231157
       - Trivial Database (TDB) header cache backend
       - RocksDB header cache backend
       - Add  and  functions
     * Bug Fixes
       - add error for CLI empty emails
       - Allow spaces and square brackets in paths
       - browser: fix hidden mailboxes
       - fix initial email display
       - notmuch: fix time window search.
       - fix resize bugs
       - notmuch: fix entire-thread: update current email pointer
       - sidebar: support indenting and shortening of names
       - Handle variables inside backticks in sidebar_whitelist
       - browser: fix mask regex error reporting
     * Translations
       - 100% Lithuanian
       - 99% Chinese (simplified)
     * Build
       - Use regexes for common parsing tasks: urls, dates
       - Add configure option --pcre2 -- Enable PCRE2 regular expressions
       - Add configure option --tdb -- Use TDB for the header cache
       - Add configure option --rocksdb -- Use RocksDB for the header cache
       - Create libstore (key/value backends)
       - Update to latest autosetup
       - Update to latest acutest.h
       - Rename doc/ directory to docs/
       - make: fix location of .Po dependency files
       - Change libcompress to be more universal
       - Fix test fails on ??32
       - fix uidvalidity to unsigned 32-bit int
     * Code
       - Increase test coverage
       - Fix memory leaks
       - Fix null checks
     * Upstream
       - Buffer refactoring
       - Fix use-after-free in mutt_str_replace()
       - Clarify PGP Pseudo-header S duration
       - Try to respect MUTT_QUIET for IMAP contexts too
       - Limit recurse depth when parsing mime messages

   - Update to 20200320:
     * Bug Fixes
       - Fix COLUMNS env var
       - Fix sync after delete
       - Fix crash in notmuch
       - Fix sidebar indent
       - Fix emptying trash
       - Fix command line sending
       - Fix reading large address lists
       - Resolve symlinks only when necessary
     * Translations
       - lithuania 100% Lithuanian
       - es 96% Spanish
     * Docs
       - Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output
       - Fix case of GPGME and SQLite
     * Build
       - Create libcompress (lz4, zlib, zstd)
       - Create libhistory
       - Create libbcache
       - Move zstrm to libconn
     * Code
       - Add more test coverage
       - Rename magic to type
       - Use mutt_file_fopen() on config variables
       - Change commands to use intptr_t for data

   - Update to 20200313:
     * Window layout
       - Sidebar is only visible when it's usable.
     * Features
       - UI: add number of old messages to sidebar_format
       - UI: support ISO 8601 calendar date
       - UI: fix commands that don???t need to have a non-empty mailbox to be
         valid
       - PGP: inform about successful decryption of inline PGP messages
       - PGP: try to infer the signing key from the From address
       - PGP: enable GPGMe by default
       - Notmuch: use query as name for vfolder-from-query
       - IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)
       - Header cache: add support for generic header cache compression
     * Bug Fixes
       - Fix uncollapse_jump
       - Only try to perform entire-thread on maildir/mh mailboxes
       - Fix crash in pager
       - Avoid logging single new lines at the end of header fields
       - Fix listing mailboxes
       - Do not recurse a non-threaded message
       - Fix initial window order
       - Fix leaks on IMAP error paths
       - Notmuch: compose(attach-message): support notmuch backend
       - Fix IMAP flag comparison code
       - Fix $move for IMAP mailboxes
       - Maildir: maildir_mbox_check_stats should only update mailbox stats
         if requested
       - Fix unmailboxes for virtual mailboxes
       - Maildir: sanitize filename before hashing
       - OAuth: if 'login' name isn't available use 'user'
       - Add error message on failed encryption
       - Fix a bunch of crashes
       - Force C locale for email date
       - Abort if run without a terminal
     * Changed Config
       - $crypt_use_gpgme - Now defaults to 'yes' (enabled)
       - $abort_backspace - Hitting backspace against an empty prompt aborts
         the prompt
       - $abort_key - String representation of key to abort prompts
       - $arrow_string - Use an custom string for arrow_cursor
       - $crypt_opportunistic_encrypt_strong_keys - Enable encryption
         only when strong a key is available
       - $header_cache_compress_dictionary - Filepath to dictionary for zstd
         compression
       - $header_cache_compress_level - Level of compression for method
       - $header_cache_compress_method - Enable generic hcache database
         compression
       - $imap_deflate - Compress network traffic
       - $smtp_user - Username for the SMTP server
     * Translations
       - 100% Lithuanian
       - 81% Spanish
       - 78% Russian
     * Build
       - Add libdebug
       - Rename public headers to lib.h
       - Create libcompress for compressed folders code
     * Code
       - Refactor Windows and Dialogs
       - Lots of code tidying
       - Refactor: mutt_addrlist_{search,write}
       - Lots of improvements to the Config code
       - Use Buffers more pervasively
       - Unify API function naming
       - Rename library shared headers
       - Refactor libconn gui dependencies
       - Refactor: init.[ch]
       - Refactor config to use subsets
       - Config: add path type
       - Remove backend deps from the connection code
     * Upstream
       - Allow ~b ~B ~h patterns in send2-hook
       - Rename smime oppenc mode parameter to get_keys_by_addr()
       - Add $crypt_opportunistic_encrypt_strong_keys config var
       - Fix crash when polling a closed ssl connection
       - Turn off auto-clear outside of autocrypt initialization
       - Add protected-headers="v1" to Content-Type when protecting headers
       - Fix segv in IMAP postponed menu caused by reopen_allow
       - Adding ISO 8601 calendar date
       - Fix $fcc_attach to not prompt in batch mode
       - Convert remaining mutt_encode_path() call to use struct Buffer
       - Fix rendering of replacement_char when Charset_is_utf8
       - Update to latest acutest.h

   - Update to 20191207:
     * Features:
       - compose: draw status bar with highlights
     * Bug Fixes:
       - crash opening notmuch mailbox
       - crash in mutt_autocrypt_ui_recommendation
       - Avoid negative allocation
       - Mbox new mail
       - Setting of DT_MAILBOX type variables from Lua
       - imap: empty cmdbuf before connecting
       - imap: select the mailbox on reconnect
       - compose: fix attach message
     * Build:
       - make files conditional
     * Code:
       - enum-ify log levels
       - fix function prototypes
       - refactor virtual email lookups
       - factor out global Context
   - Changes from 20191129:
     * Features:
       - Add raw mailsize expando (%cr)
     * Bug Fixes:
       - Avoid double question marks in bounce confirmation msg
       - Fix bounce confirmation
       - fix new-mail flags and behaviour
       - fix: browser 
       - fix ssl crash
       - fix move to trash
       - fix flickering
       - Do not check hidden mailboxes for new mail
       - Fix new_mail_command notifications
       - fix crash in examine_mailboxes()
       - fix crash in mutt_sort_threads()
       - fix: crash after sending
       - Fix crash in tunnel's conn_close
       - fix fcc for deep dirs
       - imap: fix crash when new mail arrives
       - fix colour 'quoted9'
       - quieten messages on exit
       - fix: crash after failed mbox_check
       - browser: default to a file/dir view when attaching a file
     * Changed Config:
       - Change $write_bcc to default off
     * Docs:
       - Add a bit more documentation about sending
       - Clarify $write_bcc documentation.
       - Update documentation for raw size expando
       - docbook: set generate.consistent.ids to make generated html
         reproducible
     * Build:
       - fix build/tests for 32-bit arches
       - tests: fix test that would fail soon
       - tests: fix context for failing idna tests

   - Update to 20191111: Bug fixes:
     * browser: fix directory view
     * fix crash in mutt_extract_token()
     * force a screen refresh
     * fix crash sending message from command line
     * notmuch: use nm_default_uri if no mailbox data
     * fix forward attachments
     * fix: vfprintf undefined behaviour in body_handler
     * Fix relative symlink resolution
     * fix: trash to non-existent file/dir
     * fix re-opening of mbox Mailboxes
     * close logging as late as possible
     * log unknown mailboxes
     * fix crash in command line postpone
     * fix memory leaks
     * fix icommand parsing
     * fix new mail interaction with mail_check_recent

   This update was imported from the openSUSE:Leap:15.2:Update update project.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP2:

      zypper in -t patch openSUSE-2020-2158=1



Package List:

   - openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):

      neomutt-20201120-bp152.2.3.1

   - openSUSE Backports SLE-15-SP2 (noarch):

      neomutt-doc-20201120-bp152.2.3.1
      neomutt-lang-20201120-bp152.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-14093.html
   https://www.suse.com/security/cve/CVE-2020-14154.html
   https://www.suse.com/security/cve/CVE-2020-14954.html
   https://www.suse.com/security/cve/CVE-2020-28896.html
   https://bugzilla.suse.com/1172906
   https://bugzilla.suse.com/1172935
   https://bugzilla.suse.com/1173197
   https://bugzilla.suse.com/1179035
   https://bugzilla.suse.com/1179113
--===============5317241724046297795==