SuseOPENSUSE-SU-2019:0052-1Security update for mutt (important)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.019 Low
EPSS
Percentile
87.3%
An update that solves 16 vulnerabilities and has 6 fixes is
now available.
Description:
This update for mutt fixes the following issues:
Security issues fixed:
- bsc#1101428: Mutt 1.10.1 security release update.
- CVE-2018-14351: Fix imap/command.c that mishandles long IMAP status
mailbox literal count size (bsc#1101583). - CVE-2018-14353: Fix imap_quote_string in imap/util.c that has an integer
underflow (bsc#1101581). - CVE-2018-14362: Fix pop.c that does not forbid characters that may have
unsafe interaction with message-cache pathnames (bsc#1101567). - CVE-2018-14354: Fix arbitrary command execution from remote IMAP servers
via backquote characters (bsc#1101578). - CVE-2018-14352: Fix imap_quote_string in imap/util.c that does not leave
room for quote characters (bsc#1101582). - CVE-2018-14356: Fix pop.c that mishandles a zero-length UID
(bsc#1101576). - CVE-2018-14355: Fix imap/util.c that mishandles “…” directory traversal
in a mailbox name (bsc#1101577). - CVE-2018-14349: Fix imap/command.c that mishandles a NO response without
a message (bsc#1101589). - CVE-2018-14350: Fix imap/message.c that has a stack-based buffer
overflow for a FETCH response with along INTERNALDATE field
(bsc#1101588). - CVE-2018-14363: Fix newsrc.c that does not properlyrestrict ‘/’
characters that may have unsafe interaction with cache pathnames
(bsc#1101566). - CVE-2018-14359: Fix buffer overflow via base64 data (bsc#1101570).
- CVE-2018-14358: Fix imap/message.c that has a stack-based buffer
overflow for a FETCH response with along RFC822.SIZE field (bsc#1101571). - CVE-2018-14360: Fix nntp_add_group in newsrc.c that has a stack-based
buffer overflow because of incorrect sscanf usage (bsc#1101569). - CVE-2018-14357: Fix that remote IMAP servers are allowed to execute
arbitrary commands via backquote characters (bsc#1101573). - CVE-2018-14361: Fix that nntp.c proceeds even if memory allocation fails
for messages data (bsc#1101568).
Bug fixes:
- mutt reports as neomutt and incorrect version (bsc#1094717)
- No sidebar available in mutt 1.6.1 from Tumbleweed snapshot 20160517
(bsc#980830) - mutt-1.6.1 unusable when built with --enable-sidebar (bsc#982129)
- (neo)mutt displaying times in Zulu time (bsc#1061343)
- mutt unconditionally segfaults when displaying a message (bsc#986534)
- For openSUSE Leap 42.3, retain split of -lang and -doc (boo#1120935)
This update was imported from the SUSE:SLE-12:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
-
openSUSE Leap 42.3:
zypper in -t patch openSUSE-2019-52=1
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| openSUSE Leap | 42.3 | noarch | < - openSUSE Leap 42.3 (noarch): | - openSUSE Leap 42.3 (noarch):.noarch.rpm | |
| openSUSE Leap | 42.3 | x86_64 | < - openSUSE Leap 42.3 (x86_64): | - openSUSE Leap 42.3 (x86_64):.x86_64.rpm |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.019 Low
EPSS
Percentile
87.3%