openSUSE Security Update: Security update for neomutt
______________________________________________________________________________
Announcement ID: openSUSE-SU-2020:2127-1
Rating: moderate
References: #1172906 #1172935 #1173197 #1179035 #1179113
Cross-References: CVE-2020-14093 CVE-2020-14154 CVE-2020-14954
CVE-2020-28896
Affected Products:
openSUSE Leap 15.2
openSUSE Leap 15.1
______________________________________________________________________________
An update that solves four vulnerabilities and has one
errata is now available.
Description:
This update for neomutt fixes the following issues:
Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.
* Security
– imap: close connection on all failures
* Features
– alias: add function to Alias/Query dialogs
– config: add validators for {imap,smtp,pop}_authenticators
– config: warn when signature file is missing or not readable
– smtp: support for native SMTP LOGIN auth mech
– notmuch: show originating folder in index
* Bug Fixes
– sidebar: prevent the divider colour bleeding out
– sidebar: fix <sidebar-{next,prev}-new>
– notmuch: fix query for current email
– restore shutdown-hook functionality
– crash in reply-to
– user-after-free in folder-hook
– fix some leaks
– fix application of limits to modified mailboxes
– write Date header when postponing
* Translations
– 100% Lithuanian
– 100% Czech
– 70% Turkish
* Docs
– Document that $sort_alias affects the query menu
* Build
– improve ASAN flags
– add SASL and S/MIME to –everything
– fix contrib (un)install
* Code
– my_hdr compose screen notifications
– add contracts to the MXAPI
– maildir refactoring
– further reduce the use of global variables
* Upstream
– Add $count_alternatives to count attachments inside alternatives
– Changes from 20200925
* Features
– Compose: display user-defined headers
– Address Book / Query: live sorting
– Address Book / Query: patterns for searching
– Config: Add ‘+=’ and ‘-=’ operators for String Lists
– Config: Add ‘+=’ operator for Strings
– Allow postfix query ‘:setenv NAME?’ for env vars
* Bug Fixes
– Fix crash when searching with invalid regexes
– Compose: Prevent infinite loop of send2-hooks
– Fix sidebar on new/removed mailboxes
– Restore indentation for named mailboxes
– Prevent half-parsing an alias
– Remove folder creation prompt for POP path
– Show error if $message_cachedir doesn’t point to a valid directory
– Fix tracking LastDir in case of IMAP paths with Unicode characters
– Make sure all mail gets applied the index limit
– Add warnings to -Q query CLI option
– Fix index tracking functionality
* Changed Config
– Add $compose_show_user_headers (yes)
* Translations
– 100% Czech
– 100% Lithuanian
– Split up usage strings
* Build
– Run shellcheck on hcachever.sh
– Add the Address Sanitizer
– Move compose files to lib under compose/
– Move address config into libaddress
– Update to latest acutest – fixes a memory leak in the unit tests
* Code
– Implement ARRAY API
– Deglobalised the Config Sort functions
– Refactor the Sidebar to be Event-Driven
– Refactor the Color Event
– Refactor the Commands list
– Make ctx_update_tables private
– Reduce the scope/deps of some Validator functions
– Use the Email’s IMAP UID instead of an increasing number as index
– debug: log window focus
– Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch. No
longer needed.
– Update to 20200821:
* Bug Fixes
– fix maildir flag generation
– fix query notmuch if file is missing
– notmuch: don’t abort sync on error
– fix type checking for send config variables
* Changed Config
– $sidebar_format – Use %D rather than %B for named mailboxes
* Translations
– 96% Lithuanian
– 90% Polish
– fix(sidebar): abbreviate/shorten what user sees
– Fix sidebar mailbox name display problem.
– Update to 20200814:
* Notes
– Add one-liner docs to config items See: neomutt -O -Q smart_wrap
– Remove the built-in editor A large unused and unusable feature
* Security
– Add mitigation against DoS from thousands of parts boo#1179113
* Features
– Allow index-style searching in postpone menu
– Open NeoMutt using a mailbox name
– Add cd command to change the current working directory
– Add tab-completion menu for patterns
– Allow renaming existing mailboxes
– Check for missing attachments in alternative parts
– Add one-liner docs to config items
* Bug Fixes
– Fix logic in checking an empty From address
– Fix Imap crash in cmd_parse_expunge()
– Fix setting attributes with S-Lang
– Fix: redrawing of $pager_index_lines
– Fix progress percentage for syncing large mboxes
– Fix sidebar drawing in presence of indentation + named mailboxes
– Fix retrieval of drafts when “postponed” is not in the mailboxes list
– Do not add comments to address group terminators
– Fix alias sorting for degenerate addresses
– Fix attaching emails
– Create directories for nonexistent file hcache case
– Avoid creating mailboxes for failed subscribes
– Fix crash if rejecting cert
* Changed Config
– Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed
– Change default of $crypt_protected_headers_subject to “…”
– Add default keybindings to history-up/down
* Translations
– 100% Czech
– 100% Spanish
* Build
– Allow building against Lua 5.4
– Fix when sqlite3.h is missing
* Docs
– Add a brief section on stty to the manual
– Update section “Terminal Keybindings” in the manual
– Clarify PGP Pseudo-header S<id> duration
* Code
– Clean up String API
– Make the Sidebar more independent
– De-centralise the Config Variables
– Refactor dialogs
– Refactor: Help Bar generation
– Make more APIs Context-free
– Adjust the edata use in Maildir and Notmuch
– Window refactoring
– Convert libsend to use Config functions
– Refactor notifications to reduce noise
– Convert Keymaps to use STAILQ
– Track currently selected email by msgid
– Config: no backing global variable
– Add events for key binding
* Upstream
– Fix imap postponed mailbox use-after-free error
– Speed up thread sort when many long threads exist
– Fix ~v tagging when switching to non-threaded sorting
– Add message/global to the list of known “message” types
– Print progress meter when copying/saving tagged messages
– Remove ansi formatting from autoview generated quoted replies
– Change postpone mode to write Date header too
– Unstuff format=flowed
– Update to 20200626:
* Bug Fixes
– Avoid opening the same hcache file twice
– Re-open Mailbox after folder-hook
– Fix the matching of the spoolfile Mailbox
– Fix link-thread to link all tagged emails
* Changed Config
– Add $tunnel_is_secure config, defaulting to true
* Upstream
– Don’t check IMAP PREAUTH encryption if $tunnel is in use
– Add recommendation to use $ssl_force_tls
– Changes from 20200501:
* Security
– Abort GnuTLS certificate check if a cert in the chain is rejected
CVE-2020-14154 boo#1172906
– TLS: clear data after a starttls acknowledgement CVE-2020-14954
boo#1173197
– Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093
boo#1172935
* Features
– add config operations +=/-= for number,long
– Address book has a comment field
– Query menu has a comment field
* Contrib sample.neomuttrc-starter: Do not echo prompted password
* Bug Fixes
– make “news://” and “nntp://” schemes interchangeable
– Fix CRLF to LF conversion in base64 decoding
– Double comma in query
– compose: fix redraw after history
– Crash inside empty query menu
– mmdf: fix creating new mailbox
– mh: fix creating new mailbox
– mbox: error out when an mbox/mmdf is a pipe
– Fix list-reply by correct parsing of List-Post headers
– Decode references according to RFC2047
– fix tagged message count
– hcache: fix keylen not being considered when building the full key
– sidebar: fix path comparison
– Don’t mess with the original pattern when running IMAP searches
– Handle IMAP “NO” resps by issuing a msg instead of failing badly
– imap: use the connection delimiter if provided
– Memory leaks
* Changed Config
– $alias_format default changed to include %c comment
– $query_format default changed to include %e extra info
* Translations
– 100% Lithuanian
– 84% French
– Log the translation in use
* Docs
– Add missing commands unbind, unmacro to man pages
* Build
– Check size of long using LONG_MAX instead of __WORDSIZE
– Allow ./configure to not record cflags
– fix out-of-tree build
– Avoid locating gdbm symbols in qdbm library
* Code
– Refactor unsafe TAILQ returns
– add window notifications
– flip negative ifs
– Update to latest acutest.h
– test: add store tests
– test: add compression tests
– graphviz: email
– make more opcode info available
– refactor: main_change_folder()
– refactor: mutt_mailbox_next()
– refactor: generate_body()
– compress: add {min,max}_level to ComprOps
– emphasise empty loops: “// do nothing”
– prex: convert is_from() to use regex
– Refactor IMAP’s search routines
– Update to 20200501:
* Bug Fixes
– Make sure buffers are initialized on error
– fix(sidebar): use abbreviated path if possible
* Translations
– 100% Lithuanian
* Docs
– make header cache config more explicit
– Changes from 20200424:
* Bug Fixes
– Fix history corruption
– Handle pretty much anything in a URL query part
– Correctly parse escaped characters in header phrases
– Fix crash reading received header
– Fix sidebar indentation
– Avoid crashing on failure to parse an IMAP mailbox
– Maildir: handle deleted emails correctly
– Ensure OP_NULL is always first
* Translations
– 100% Czech
* Build
– cirrus: enable pcre2, make pkgconf a special case
– Fix finding pcre2 w/o pkgconf
– build: tdb.h needs size_t, bring it in with stddef.h
– Changes from 20200417:
* Features
– Fluid layout for Compose Screen, see: vimeo.com/407231157
– Trivial Database (TDB) header cache backend
– RocksDB header cache backend
– Add <sidebar-first> and <sidebar-last> functions
* Bug Fixes
– add error for CLI empty emails
– Allow spaces and square brackets in paths
– browser: fix hidden mailboxes
– fix initial email display
– notmuch: fix time window search.
– fix resize bugs
– notmuch: fix entire-thread: update current email pointer
– sidebar: support indenting and shortening of names
– Handle variables inside backticks in sidebar_whitelist
– browser: fix mask regex error reporting
* Translations
– 100% Lithuanian
– 99% Chinese (simplified)
* Build
– Use regexes for common parsing tasks: urls, dates
– Add configure option –pcre2 — Enable PCRE2 regular expressions
– Add configure option –tdb — Use TDB for the header cache
– Add configure option –rocksdb — Use RocksDB for the header cache
– Create libstore (key/value backends)
– Update to latest autosetup
– Update to latest acutest.h
– Rename doc/ directory to docs/
– make: fix location of .Po dependency files
– Change libcompress to be more universal
– Fix test fails on ??32
– fix uidvalidity to unsigned 32-bit int
* Code
– Increase test coverage
– Fix memory leaks
– Fix null checks
* Upstream
– Buffer refactoring
– Fix use-after-free in mutt_str_replace()
– Clarify PGP Pseudo-header S<id> duration
– Try to respect MUTT_QUIET for IMAP contexts too
– Limit recurse depth when parsing mime messages
– Update to 20200320:
* Bug Fixes
– Fix COLUMNS env var
– Fix sync after delete
– Fix crash in notmuch
– Fix sidebar indent
– Fix emptying trash
– Fix command line sending
– Fix reading large address lists
– Resolve symlinks only when necessary
* Translations
– lithuania 100% Lithuanian
– es 96% Spanish
* Docs
– Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output
– Fix case of GPGME and SQLite
* Build
– Create libcompress (lz4, zlib, zstd)
– Create libhistory
– Create libbcache
– Move zstrm to libconn
* Code
– Add more test coverage
– Rename magic to type
– Use mutt_file_fopen() on config variables
– Change commands to use intptr_t for data
– Update to 20200313:
* Window layout
– Sidebar is only visible when it’s usable.
* Features
– UI: add number of old messages to sidebar_format
– UI: support ISO 8601 calendar date
– UI: fix commands that don???t need to have a non-empty mailbox to be
valid
– PGP: inform about successful decryption of inline PGP messages
– PGP: try to infer the signing key from the From address
– PGP: enable GPGMe by default
– Notmuch: use query as name for vfolder-from-query
– IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)
– Header cache: add support for generic header cache compression
* Bug Fixes
– Fix uncollapse_jump
– Only try to perform entire-thread on maildir/mh mailboxes
– Fix crash in pager
– Avoid logging single new lines at the end of header fields
– Fix listing mailboxes
– Do not recurse a non-threaded message
– Fix initial window order
– Fix leaks on IMAP error paths
– Notmuch: compose(attach-message): support notmuch backend
– Fix IMAP flag comparison code
– Fix $move for IMAP mailboxes
– Maildir: maildir_mbox_check_stats should only update mailbox stats
if requested
– Fix unmailboxes for virtual mailboxes
– Maildir: sanitize filename before hashing
– OAuth: if ‘login’ name isn’t available use ‘user’
– Add error message on failed encryption
– Fix a bunch of crashes
– Force C locale for email date
– Abort if run without a terminal
* Changed Config
– $crypt_use_gpgme – Now defaults to ‘yes’ (enabled)
– $abort_backspace – Hitting backspace against an empty prompt aborts
the prompt
– $abort_key – String representation of key to abort prompts
– $arrow_string – Use an custom string for arrow_cursor
– $crypt_opportunistic_encrypt_strong_keys – Enable encryption
only when strong a key is available
– $header_cache_compress_dictionary – Filepath to dictionary for zstd
compression
– $header_cache_compress_level – Level of compression for method
– $header_cache_compress_method – Enable generic hcache database
compression
– $imap_deflate – Compress network traffic
– $smtp_user – Username for the SMTP server
* Translations
– 100% Lithuanian
– 81% Spanish
– 78% Russian
* Build
– Add libdebug
– Rename public headers to lib.h
– Create libcompress for compressed folders code
* Code
– Refactor Windows and Dialogs
– Lots of code tidying
– Refactor: mutt_addrlist_{search,write}
– Lots of improvements to the Config code
– Use Buffers more pervasively
– Unify API function naming
– Rename library shared headers
– Refactor libconn gui dependencies
– Refactor: init.[ch]
– Refactor config to use subsets
– Config: add path type
– Remove backend deps from the connection code
* Upstream
– Allow ~b ~B ~h patterns in send2-hook
– Rename smime oppenc mode parameter to get_keys_by_addr()
– Add $crypt_opportunistic_encrypt_strong_keys config var
– Fix crash when polling a closed ssl connection
– Turn off auto-clear outside of autocrypt initialization
– Add protected-headers=”v1″ to Content-Type when protecting headers
– Fix segv in IMAP postponed menu caused by reopen_allow
– Adding ISO 8601 calendar date
– Fix $fcc_attach to not prompt in batch mode
– Convert remaining mutt_encode_path() call to use struct Buffer
– Fix rendering of replacement_char when Charset_is_utf8
– Update to latest acutest.h
– Update to 20191207:
* Features:
– compose: draw status bar with highlights
* Bug Fixes:
– crash opening notmuch mailbox
– crash in mutt_autocrypt_ui_recommendation
– Avoid negative allocation
– Mbox new mail
– Setting of DT_MAILBOX type variables from Lua
– imap: empty cmdbuf before connecting
– imap: select the mailbox on reconnect
– compose: fix attach message
* Build:
– make files conditional
* Code:
– enum-ify log levels
– fix function prototypes
– refactor virtual email lookups
– factor out global Context
– Changes from 20191129:
* Features:
– Add raw mailsize expando (%cr)
* Bug Fixes:
– Avoid double question marks in bounce confirmation msg
– Fix bounce confirmation
– fix new-mail flags and behaviour
– fix: browser <descend-directory>
– fix ssl crash
– fix move to trash
– fix flickering
– Do not check hidden mailboxes for new mail
– Fix new_mail_command notifications
– fix crash in examine_mailboxes()
– fix crash in mutt_sort_threads()
– fix: crash after sending
– Fix crash in tunnel’s conn_close
– fix fcc for deep dirs
– imap: fix crash when new mail arrives
– fix colour ‘quoted9’
– quieten messages on exit
– fix: crash after failed mbox_check
– browser: default to a file/dir view when attaching a file
* Changed Config:
– Change $write_bcc to default off
* Docs:
– Add a bit more documentation about sending
– Clarify $write_bcc documentation.
– Update documentation for raw size expando
– docbook: set generate.consistent.ids to make generated html
reproducible
* Build:
– fix build/tests for 32-bit arches
– tests: fix test that would fail soon
– tests: fix context for failing idna tests
– Update to 20191111: Bug fixes:
* browser: fix directory view
* fix crash in mutt_extract_token()
* force a screen refresh
* fix crash sending message from command line
* notmuch: use nm_default_uri if no mailbox data
* fix forward attachments
* fix: vfprintf undefined behaviour in body_handler
* Fix relative symlink resolution
* fix: trash to non-existent file/dir
* fix re-opening of mbox Mailboxes
* close logging as late as possible
* log unknown mailboxes
* fix crash in command line postpone
* fix memory leaks
* fix icommand parsing
* fix new mail interaction with mail_check_recent
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
– openSUSE Leap 15.2:
zypper in -t patch openSUSE-2020-2127=1
– openSUSE Leap 15.1:
zypper in -t patch openSUSE-2020-2127=1
Package List:
– openSUSE Leap 15.2 (x86_64):
neomutt-20201120-lp152.2.3.1
neomutt-debuginfo-20201120-lp152.2.3.1
neomutt-debugsource-20201120-lp152.2.3.1
– openSUSE Leap 15.2 (noarch):
neomutt-doc-20201120-lp152.2.3.1
neomutt-lang-20201120-lp152.2.3.1
– openSUSE Leap 15.1 (x86_64):
neomutt-20201120-lp151.2.3.1
neomutt-debuginfo-20201120-lp151.2.3.1
neomutt-debugsource-20201120-lp151.2.3.1
– openSUSE Leap 15.1 (noarch):
neomutt-doc-20201120-lp151.2.3.1
neomutt-lang-20201120-lp151.2.3.1
References:
https://www.suse.com/security/cve/CVE-2020-14093.html
https://www.suse.com/security/cve/CVE-2020-14154.html
https://www.suse.com/security/cve/CVE-2020-14954.html
https://www.suse.com/security/cve/CVE-2020-28896.html
https://bugzilla.suse.com/1172906
https://bugzilla.suse.com/1172935
https://bugzilla.suse.com/1173197
https://bugzilla.suse.com/1179035
https://bugzilla.suse.com/1179113_______________________________________________
openSUSE Security Announce mailing list — security-announce@lists.opensuse.org
To unsubscribe, email security-announce-leave@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org