Bug 19326

Summary: Updated version of Mutt (1.2) has IMAP security hole fixed
Product: [Retired] Red Hat Linux Reporter: jon
Component: muttAssignee: Bill Nottingham <notting>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: dr, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.mutt.org/news.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-11-21 20:41:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jon 2000-10-18 17:50:08 UTC 
From Mutt's news page:

Mutt 1.2.5 was released on July 28, 2000. This is the latest maintenance
update of the stable branch of mutt, and this time, we really suggest that
you update. 

This release fixes at least one grave IMAP error which may lead to
confusing display and other strangeness, and our instances of the "wuftpd
format bug", which had (mostly) the effect that your IMAP server's operator
could break into your computer with some work. 


Looks to me like this should be fixed!  Thanks!
Comment 1 jon 2000-10-18 17:53:55 UTC 
Also, as long as you're doing this, you might want to build ssl-IMAP support in,
as you've already got openssl available now when you didn't before. Then again,
maybe not.
Comment 2 Bill Nottingham 2000-10-19 17:55:13 UTC 
We would not add SSL support to a 6.2 errata, as we
didn't ship SSL for 6.2.
Comment 3 jon 2000-10-19 18:23:07 UTC 
You're right; it's technically a "Package Enhancement," but was listed on the
errata page, which confused me:

http://www.redhat.com/support/errata/RHEA-2000-085-02.html
Comment 4 Daniel Roesen 2000-10-19 18:25:38 UTC 
You did:

openssl-0.9.5a-1.6.x.i386.rpm        openssl-perl-0.9.5a-1.6.x.i386.rpm
openssl-devel-0.9.5a-1.6.x.i386.rpm  openssl-python-0.9.5a-1.6.x.i386.rpm

As updates, a few days ago. Just make openssl a prerequisite for the mutt 
update (same story as the RPM 3.0.5 update).
Comment 5 Bill Nottingham 2000-10-19 19:27:39 UTC 
I stand corrected. Gee, I go away for two weeks and all hell
breaks loose. ;)
Comment 6 jon 2000-11-21 19:29:18 UTC 
Would be nice if there was an update on this: the update is almost four months
old, and the bug report is more than a month with no activity --- its status is
still "NEW"
Comment 7 Daniel Roesen 2000-11-21 20:26:59 UTC 
Seconded.

While we're at it... please consider adding the Compressed Folders Patch which
is available here:

http://www.spinnaker.de/mutt/compressed/
http://www.spinnaker.de/mutt/compressed/patch-1.2.5.rr.compressed.1.gz

As you can see from the _long_ history this patch is really mature and in use by
_many_ people. We are not the only people enrolling our own mutt RPMs site-wide
just to have this patch in. :-]

Please advise if I should file that as a seperate RFE.
Comment 8 Bill Nottingham 2000-11-21 20:41:24 UTC 
Currently waiting on 1.2.6i; the lead developer mentioned it was about
time to do it two weeks ago, which was right when we were finishing
up the packages.
Comment 9 Bill Nottingham 2001-05-02 21:06:58 UTC 
This finally did get errata'd.