Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 19326 - Updated version of Mutt (1.2) has IMAP security hole fixed
Updated version of Mutt (1.2) has IMAP security hole fixed
Product: Red Hat Linux
Classification: Retired
Component: mutt (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Bill Nottingham
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-10-18 13:50 EDT by jon
Modified: 2014-03-16 22:16 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-11-21 15:41:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:029 normal SHIPPED_LIVE : New mutt packages fix IMAP vulnerability/incompatibility 2001-03-09 00:00:00 EST

  None (edit)
Description jon 2000-10-18 13:50:08 EDT
From Mutt's news page:

Mutt 1.2.5 was released on July 28, 2000. This is the latest maintenance
update of the stable branch of mutt, and this time, we really suggest that
you update. 

This release fixes at least one grave IMAP error which may lead to
confusing display and other strangeness, and our instances of the "wuftpd
format bug", which had (mostly) the effect that your IMAP server's operator
could break into your computer with some work. 

Looks to me like this should be fixed!  Thanks!
Comment 1 jon 2000-10-18 13:53:55 EDT
Also, as long as you're doing this, you might want to build ssl-IMAP support in,
as you've already got openssl available now when you didn't before. Then again,
maybe not.
Comment 2 Bill Nottingham 2000-10-19 13:55:13 EDT
We would not add SSL support to a 6.2 errata, as we
didn't ship SSL for 6.2.
Comment 3 jon 2000-10-19 14:23:07 EDT
You're right; it's technically a "Package Enhancement," but was listed on the
errata page, which confused me:

Comment 4 Daniel Roesen 2000-10-19 14:25:38 EDT
You did:

openssl-0.9.5a-1.6.x.i386.rpm        openssl-perl-0.9.5a-1.6.x.i386.rpm
openssl-devel-0.9.5a-1.6.x.i386.rpm  openssl-python-0.9.5a-1.6.x.i386.rpm

As updates, a few days ago. Just make openssl a prerequisite for the mutt 
update (same story as the RPM 3.0.5 update).
Comment 5 Bill Nottingham 2000-10-19 15:27:39 EDT
I stand corrected. Gee, I go away for two weeks and all hell
breaks loose. ;)
Comment 6 jon 2000-11-21 14:29:18 EST
Would be nice if there was an update on this: the update is almost four months
old, and the bug report is more than a month with no activity --- its status is
still "NEW"
Comment 7 Daniel Roesen 2000-11-21 15:26:59 EST

While we're at it... please consider adding the Compressed Folders Patch which
is available here:


As you can see from the _long_ history this patch is really mature and in use by
_many_ people. We are not the only people enrolling our own mutt RPMs site-wide
just to have this patch in. :-]

Please advise if I should file that as a seperate RFE.
Comment 8 Bill Nottingham 2000-11-21 15:41:24 EST
Currently waiting on 1.2.6i; the lead developer mentioned it was about
time to do it two weeks ago, which was right when we were finishing
up the packages.
Comment 9 Bill Nottingham 2001-05-02 17:06:58 EDT
This finally did get errata'd.

Note You need to log in before you can comment on or make changes to this bug.