Fedora Account System
Red Hat Associate
Red Hat Customer
Mutt had incorrect error handling when initially connecting to an IMAP server, which could result in an attempt to authenticate without enabling TLS. References: http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20201116/000031.html https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-November/000929.html Upstream patchs: https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06
Created mutt tracking bugs for this issue: Affects: fedora-all [bug 1900827]
Statement: Red Hat Product Security has rated the severity of this flaw as Moderate because although the Confidentiality impact is high, the attack complexity is also high as a particular attacker would at least need to coordinate social engineering a victim to connect to a bad server, and also perform a man-in-the-middle attack or perform similar interception of the connection. Please see the following page for details on Red Hat severity ratings with special attention to Moderate: https://access.redhat.com/security/updates/classification .
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4181 https://access.redhat.com/errata/RHSA-2021:4181