1848287 – (CVE-2020-14154) CVE-2020-14154 mutt: TLS mishandling during connection

Bug 1848287 (CVE-2020-14154) - CVE-2020-14154 mutt: TLS mishandling during connection

Summary: CVE-2020-14154 mutt: TLS mishandling during connection

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2020-14154
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1848288 1850348 1850349
Blocks:	1848289
TreeView+	depends on / blocked

Reported:	2020-06-18 07:39 UTC by Marian Rehak
Modified:	2022-02-14 14:50 UTC (History)
CC List:	8 users (show)
Fixed In Version:	mutt 1.14.3
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-02-14 14:50:45 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2020-06-18 07:39:43 UTC

Mutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate.

Upstream Reference:

http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html

Comment 1 Marian Rehak 2020-06-18 07:40:08 UTC

Created mutt tracking bugs for this issue:

Affects: fedora-all [bug 1848288]

Comment 3 Huzaifa S. Sidhpurwala 2020-06-24 06:43:38 UTC

External References:

http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html

Comment 4 Huzaifa S. Sidhpurwala 2020-06-24 06:49:39 UTC

Upstream patches:

https://github.com/muttmua/mutt/commit/f64ec1de
https://github.com/muttmua/mutt/commit/5fccf603
https://github.com/muttmua/mutt/commit/bb0e6277

Comment 6 Fabio Alessandro Locati 2022-02-13 20:53:52 UTC

This has been fixed in following versions. Can we close this bug?

Note You need to log in before you can comment on or make changes to this bug.