Bug 19326 - Updated version of Mutt (1.2) has IMAP security hole fixed
Summary: Updated version of Mutt (1.2) has IMAP security hole fixed
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mutt (Show other bugs)
(Show other bugs)
Version: 6.2
Hardware: All Linux
high
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
URL: http://www.mutt.org/news.html
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-10-18 17:50 UTC by jon
Modified: 2014-03-17 02:16 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-11-21 20:41:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:029 normal SHIPPED_LIVE : New mutt packages fix IMAP vulnerability/incompatibility 2001-03-09 05:00:00 UTC

Description jon 2000-10-18 17:50:08 UTC
From Mutt's news page:

Mutt 1.2.5 was released on July 28, 2000. This is the latest maintenance
update of the stable branch of mutt, and this time, we really suggest that
you update. 

This release fixes at least one grave IMAP error which may lead to
confusing display and other strangeness, and our instances of the "wuftpd
format bug", which had (mostly) the effect that your IMAP server's operator
could break into your computer with some work. 


Looks to me like this should be fixed!  Thanks!

Comment 1 jon 2000-10-18 17:53:55 UTC
Also, as long as you're doing this, you might want to build ssl-IMAP support in,
as you've already got openssl available now when you didn't before. Then again,
maybe not.

Comment 2 Bill Nottingham 2000-10-19 17:55:13 UTC
We would not add SSL support to a 6.2 errata, as we
didn't ship SSL for 6.2.

Comment 3 jon 2000-10-19 18:23:07 UTC
You're right; it's technically a "Package Enhancement," but was listed on the
errata page, which confused me:

http://www.redhat.com/support/errata/RHEA-2000-085-02.html

Comment 4 Daniel Roesen 2000-10-19 18:25:38 UTC
You did:

openssl-0.9.5a-1.6.x.i386.rpm        openssl-perl-0.9.5a-1.6.x.i386.rpm
openssl-devel-0.9.5a-1.6.x.i386.rpm  openssl-python-0.9.5a-1.6.x.i386.rpm

As updates, a few days ago. Just make openssl a prerequisite for the mutt 
update (same story as the RPM 3.0.5 update).


Comment 5 Bill Nottingham 2000-10-19 19:27:39 UTC
I stand corrected. Gee, I go away for two weeks and all hell
breaks loose. ;)

Comment 6 jon 2000-11-21 19:29:18 UTC
Would be nice if there was an update on this: the update is almost four months
old, and the bug report is more than a month with no activity --- its status is
still "NEW"

Comment 7 Daniel Roesen 2000-11-21 20:26:59 UTC
Seconded.

While we're at it... please consider adding the Compressed Folders Patch which
is available here:

http://www.spinnaker.de/mutt/compressed/
http://www.spinnaker.de/mutt/compressed/patch-1.2.5.rr.compressed.1.gz

As you can see from the _long_ history this patch is really mature and in use by
_many_ people. We are not the only people enrolling our own mutt RPMs site-wide
just to have this patch in. :-]

Please advise if I should file that as a seperate RFE.

Comment 8 Bill Nottingham 2000-11-21 20:41:24 UTC
Currently waiting on 1.2.6i; the lead developer mentioned it was about
time to do it two weeks ago, which was right when we were finishing
up the packages.

Comment 9 Bill Nottingham 2001-05-02 21:06:58 UTC
This finally did get errata'd.


Note You need to log in before you can comment on or make changes to this bug.