Lucene search

K
suseSuseOPENSUSE-SU-2022:10020-1
HistoryJun 21, 2022 - 12:00 a.m.

Security update for neomutt (moderate)

2022-06-2100:00:00
lists.opensuse.org
20

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

An update that fixes two vulnerabilities is now available.

Description:

This update for neomutt fixes the following issues:

neomutt was updated to 20220429:

  • Bug Fixes
  • Do not crash on an invalid use_threads/sort combination
  • Fix: stuck browser cursor
  • Resolve (move) the cursor after <edit-label>
  • Index: fix menu size on new mail
  • Don’t overlimit LMDB mmap size
  • OpenBSD y/n translation fix
  • Generic: split out OP_EXIT binding
  • Fix parsing of sendmail cmd
  • Fix: crash with menu_move_off=no
  • Newsrc: bugfix; nntp_user and nntp_pass ignored
  • Menu: ensure config changes cause a repaint
  • Mbox: fix sync duplicates
  • Make sure the index redraws all that’s needed
  • Translations
  • 100% Chinese (Simplified)
  • 100% Czech
  • 100% German
  • 100% Hungarian
  • 100% Lithuanian
  • 100% Serbian
  • 100% Turkish
  • Docs
  • add missing pattern modifier ~I for external_search_command
  • Code
  • menu: eliminate custom_redraw()
  • modernise mixmaster
  • Kill global and Propagate display attach status through State-

neomutt was updated to 20220415:

  • Security
  • Fix uudecode buffer overflow (CVE-2022-1328)
  • Features
  • Colours, colours, colours
  • Bug Fixes
  • Pager: fix pager_stop
  • Merge colours with normal
  • Color: disable mono command
  • Fix forwarding text attachments when honor_disposition is set
  • Pager: drop the nntp change-group bindings
  • Use mailbox_check flags coherently, add IMMEDIATE flag
  • Fix: tagging in attachment list
  • Fix: misalignment of mini-index
  • Make sure to update the menu size after a resort
  • Translations
  • 100% Hungarian
  • Build
  • Update acutest
  • Code
  • Unify pipe functions
  • Index: notify if navigation fails
  • Gui: set colour to be merged with normal
  • Fix: leak in tls_check_one_certificate()
  • Upstream
  • Flush iconv() in mutt_convert_string()
  • Fix integer overflow in mutt_convert_string()
  • Fix uudecode cleanup on unexpected eof

update to 20220408:

  • Compose multipart emails
  • Fix screen mode after attempting decryption
  • imap: increase max size of oauth2 token
  • Fix autocrypt
  • Unify Alias/Query workflow
  • Fix colours
  • Say which file exists when saving attachments
  • Force SMTP authentication if smtp_user is set
  • Fix selecting the right email after limiting
  • Make sure we have enough memory for a new email
  • Don’t overwrite with zeroes after unlinking the file
  • Fix crash when forwarding attachments
  • Fix help reformatting on window resize
  • Fix poll to use PollFdsCount and not PollFdsLen
  • regex: range check arrays strictly
  • Fix Coverity defects
  • Fix out of bounds write with long log lines
  • Apply fast_reply to ‘to’, ‘cc’, or ‘bcc’
  • Prevent warning on empty emails
  • New default: set rfc2047_parameters = yes
  • 100% German
  • 100% Lithuanian
  • 100% Serbian
  • 100% Czech
  • 100% Turkish
  • 72% Hungarian
  • Improve header cache explanation
  • Improve description of some notmuch variables
  • Explain how timezones and !s work inside %{}, %[] and %()
  • Document config synonyms and deprecations
  • Create lots of GitHub Actions
  • Drop TravisCI
  • Add automated Fuzzing tests
  • Add automated ASAN tests
  • Create Dockers for building Centos/Fedora
  • Build fixes for Solaris 10
  • New libraries: browser, enter, envelope
  • New configure options: --fuzzing --debug-color --debug-queue
  • Split Index/Pager GUIs/functions
  • Add lots of function dispatchers
  • Eliminate menu_loop()
  • Refactor function opcodes
  • Refactor cursor setting
  • Unify Alias/Query functions
  • Refactor Compose/Envelope functions
  • Modernise the Colour handling
  • Refactor the Attachment View
  • Eliminate the global Context
  • Upgrade mutt_get_field()
  • Refactor the color quoted code
  • Fix lots of memory leaks
  • Refactor Index resolve code
  • Refactor PatternList parsing
  • Refactor Mailbox freeing
  • Improve key mapping
  • Factor out charset hooks
  • Expose mutt_file_seek API
  • Improve API of strto* wrappers
  • imap QRESYNC fixes
  • Allow an empty To: address prompt
  • Fix argc==0 handling
  • Don’t queue IMAP close commands
  • Fix IMAP UTF-7 for code points >= U+10000
  • Don’t include inactive messages in msgset generation

update to 20211029 (boo#1185705, CVE-2021-32055):

  • Notmuch: support separate database and mail roots without .notmuch
  • fix notmuch crash on open failure
  • fix crypto crash handling pgp keys
  • fix ncrypt/pgp file_get_size return check
  • fix restore case-insensitive header sort
  • fix pager redrawing of long lines
  • fix notmuch: check database dir for xapian dir
  • fix notmuch: update index count after <entire-thread>
  • fix protect hash table against empty keys
  • fix prevent real_subj being set but empty
  • fix leak when saving fcc
  • fix leak after <edit-or-view-raw-message>
  • fix leak after trash to hidden mailbox
  • fix leak restoring postponed emails
  • fix new mail notifications
  • fix pattern compilation error for ( !>(~P) )
  • fix menu display on window resize
  • Stop batch mode emails with no argument or recipients
  • Add sanitize call in print mailcap function
  • fix hdr_order to use the longest match
  • fix (un)setenv to not return an error with unset env vars
  • fix Imap sync when closing a mailbox
  • fix segfault on OpenBSD current
  • sidebar: restore sidebar_spoolfile colour
  • fix assert when displaying a file from the browser
  • fix exec command in compose
  • fix check_stats for Notmuch mailboxes
  • Fallback: Open Notmuch database without config
  • fix gui hook commands on startup
  • threads: implement the $use_threads feature
  • https://neomutt.org/feature/use-threads
  • hooks: allow a -noregex param to folder and mbox hooks
  • mailing lists: implement list-(un)subscribe using RFC2369 headers
  • mailcap: implement x-neomutt-nowrap flag
  • pager: add $local_date_header option
  • imap, smtp: add support for authenticating using XOAUTH2
  • Allow <sync-mailbox> to fail quietly
  • imap: speed up server-side searches
  • pager: improve skip-quoted and skip-headers
  • notmuch: open database with user’s configuration
  • notmuch: implement <vfolder-window-reset>
  • config: allow += modification of my_ variables
  • notmuch: tolerate file renames behind neomutt’s back
  • pager: implement $pager_read_delay
  • notmuch: validate nm_query_window_timebase
  • notmuch: make $nm_record work in non-notmuch mailboxes
  • compose: add $greeting - a welcome message on top of emails
  • notmuch: show additional mail in query windows
  • imap: fix crash on external IMAP events
  • notmuch: handle missing libnotmuch version bumps
  • imap: add sanity check for qresync
  • notmuch: allow windows with 0 duration
  • index: fix index selection on <collapse-all>
  • imap: fix crash when sync’ing labels
  • search: fix searching by Message-Id in <mark-message>
  • threads: fix double sorting of threads
  • stats: don’t check mailbox stats unless told
  • alias: fix crash on empty query
  • pager: honor mid-message config changes
  • mailbox: don’t propagate read-only state across reopens
  • hcache: fix caching new labels in the header cache
  • crypto: set invalidity flags for gpgme/smime keys
  • notmuch: fix parsing of multiple type=
  • notmuch: validate $nm_default_url
  • messages: avoid unnecessary opening of messages
  • imap: fix seqset iterator when it ends in a comma
  • build: refuse to build without pcre2 when pcre2 is linked in ncurses

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Backports SLE-15-SP4:

    zypper in -t patch openSUSE-2022-10020=1

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:N/A:P

Related for OPENSUSE-SU-2022:10020-1