19326 – Updated version of Mutt (1.2) has IMAP security hole fixed

Bug 19326 - Updated version of Mutt (1.2) has IMAP security hole fixed

Summary: Updated version of Mutt (1.2) has IMAP security hole fixed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	mutt
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Bill Nottingham
QA Contact:	David Lawrence
Docs Contact:
URL:	http://www.mutt.org/news.html
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-10-18 17:50 UTC by jon
Modified:	2014-03-17 02:16 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2000-11-21 20:41:27 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2001:029	0	normal	SHIPPED_LIVE	: New mutt packages fix IMAP vulnerability/incompatibility	2001-03-09 05:00:00 UTC

Description jon 2000-10-18 17:50:08 UTC

From Mutt's news page:

Mutt 1.2.5 was released on July 28, 2000. This is the latest maintenance
update of the stable branch of mutt, and this time, we really suggest that
you update. 

This release fixes at least one grave IMAP error which may lead to
confusing display and other strangeness, and our instances of the "wuftpd
format bug", which had (mostly) the effect that your IMAP server's operator
could break into your computer with some work. 


Looks to me like this should be fixed!  Thanks!

Comment 1 jon 2000-10-18 17:53:55 UTC

Also, as long as you're doing this, you might want to build ssl-IMAP support in,
as you've already got openssl available now when you didn't before. Then again,
maybe not.

Comment 2 Bill Nottingham 2000-10-19 17:55:13 UTC

We would not add SSL support to a 6.2 errata, as we
didn't ship SSL for 6.2.

Comment 3 jon 2000-10-19 18:23:07 UTC

You're right; it's technically a "Package Enhancement," but was listed on the
errata page, which confused me:

http://www.redhat.com/support/errata/RHEA-2000-085-02.html

Comment 4 Daniel Roesen 2000-10-19 18:25:38 UTC

You did:

openssl-0.9.5a-1.6.x.i386.rpm        openssl-perl-0.9.5a-1.6.x.i386.rpm
openssl-devel-0.9.5a-1.6.x.i386.rpm  openssl-python-0.9.5a-1.6.x.i386.rpm

As updates, a few days ago. Just make openssl a prerequisite for the mutt 
update (same story as the RPM 3.0.5 update).

Comment 5 Bill Nottingham 2000-10-19 19:27:39 UTC

I stand corrected. Gee, I go away for two weeks and all hell
breaks loose. ;)

Comment 6 jon 2000-11-21 19:29:18 UTC

Would be nice if there was an update on this: the update is almost four months
old, and the bug report is more than a month with no activity --- its status is
still "NEW"

Comment 7 Daniel Roesen 2000-11-21 20:26:59 UTC

Seconded.

While we're at it... please consider adding the Compressed Folders Patch which
is available here:

http://www.spinnaker.de/mutt/compressed/
http://www.spinnaker.de/mutt/compressed/patch-1.2.5.rr.compressed.1.gz

As you can see from the _long_ history this patch is really mature and in use by
_many_ people. We are not the only people enrolling our own mutt RPMs site-wide
just to have this patch in. :-]

Please advise if I should file that as a seperate RFE.

Comment 8 Bill Nottingham 2000-11-21 20:41:24 UTC

Currently waiting on 1.2.6i; the lead developer mentioned it was about
time to do it two weeks ago, which was right when we were finishing
up the packages.

Comment 9 Bill Nottingham 2001-05-02 21:06:58 UTC

This finally did get errata'd.

Note You need to log in before you can comment on or make changes to this bug.