openSUSE Security Update : neomutt (openSUSE-2020-2127)

medium Nessus Plugin ID 143462

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for neomutt fixes the following issues :

Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.

- Security

- imap: close connection on all failures

- Features

- alias: add function to Alias/Query dialogs

- config: add validators for (imap,smtp,pop)_authenticators

- config: warn when signature file is missing or not readable

- smtp: support for native SMTP LOGIN auth mech

- notmuch: show originating folder in index

- Bug Fixes

- sidebar: prevent the divider colour bleeding out

- sidebar: fix <sidebar-(next,prev)-new>

- notmuch: fix query for current email

- restore shutdown-hook functionality

- crash in reply-to

- user-after-free in folder-hook

- fix some leaks

- fix application of limits to modified mailboxes

- write Date header when postponing

- Translations

- 100% Lithuanian

- 100% Czech

- 70% Turkish

- Docs

- Document that $sort_alias affects the query menu

- Build

- improve ASAN flags

- add SASL and S/MIME to --everything

- fix contrib (un)install

- Code

- my_hdr compose screen notifications

- add contracts to the MXAPI

- maildir refactoring

- further reduce the use of global variables

- Upstream

- Add $count_alternatives to count attachments inside alternatives

- Changes from 20200925

- Features

- Compose: display user-defined headers

- Address Book / Query: live sorting

- Address Book / Query: patterns for searching

- Config: Add '+=' and '-=' operators for String Lists

- Config: Add '+=' operator for Strings

- Allow postfix query ':setenv NAME?' for env vars

- Bug Fixes

- Fix crash when searching with invalid regexes

- Compose: Prevent infinite loop of send2-hooks

- Fix sidebar on new/removed mailboxes

- Restore indentation for named mailboxes

- Prevent half-parsing an alias

- Remove folder creation prompt for POP path

- Show error if $message_cachedir doesn't point to a valid directory

- Fix tracking LastDir in case of IMAP paths with Unicode characters

- Make sure all mail gets applied the index limit

- Add warnings to -Q query CLI option

- Fix index tracking functionality

- Changed Config

- Add $compose_show_user_headers (yes)

- Translations

- 100% Czech

- 100% Lithuanian

- Split up usage strings

- Build

- Run shellcheck on hcachever.sh

- Add the Address Sanitizer

- Move compose files to lib under compose/

- Move address config into libaddress

- Update to latest acutest - fixes a memory leak in the unit tests

- Code

- Implement ARRAY API

- Deglobalised the Config Sort functions

- Refactor the Sidebar to be Event-Driven

- Refactor the Color Event

- Refactor the Commands list

- Make ctx_update_tables private

- Reduce the scope/deps of some Validator functions

- Use the Email's IMAP UID instead of an increasing number as index

- debug: log window focus

- Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch.
No longer needed.

- Update to 20200821 :

- Bug Fixes

- fix maildir flag generation

- fix query notmuch if file is missing

- notmuch: don't abort sync on error

- fix type checking for send config variables

- Changed Config

- $sidebar_format - Use %D rather than %B for named mailboxes

- Translations

- 96% Lithuanian

- 90% Polish

- fix(sidebar): abbreviate/shorten what user sees

- Fix sidebar mailbox name display problem.

- Update to 20200814 :

- Notes

- Add one-liner docs to config items See: neomutt -O -Q smart_wrap

- Remove the built-in editor A large unused and unusable feature

- Security

- Add mitigation against DoS from thousands of parts boo#1179113

- Features

- Allow index-style searching in postpone menu

- Open NeoMutt using a mailbox name

- Add cd command to change the current working directory

- Add tab-completion menu for patterns

- Allow renaming existing mailboxes

- Check for missing attachments in alternative parts

- Add one-liner docs to config items

- Bug Fixes

- Fix logic in checking an empty From address

- Fix Imap crash in cmd_parse_expunge()

- Fix setting attributes with S-Lang

- Fix: redrawing of $pager_index_lines

- Fix progress percentage for syncing large mboxes

- Fix sidebar drawing in presence of indentation + named mailboxes

- Fix retrieval of drafts when 'postponed' is not in the mailboxes list

- Do not add comments to address group terminators

- Fix alias sorting for degenerate addresses

- Fix attaching emails

- Create directories for nonexistent file hcache case

- Avoid creating mailboxes for failed subscribes

- Fix crash if rejecting cert

- Changed Config

- Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed

- Change default of $crypt_protected_headers_subject to '...'

- Add default keybindings to history-up/down

- Translations

- 100% Czech

- 100% Spanish

- Build

- Allow building against Lua 5.4

- Fix when sqlite3.h is missing

- Docs

- Add a brief section on stty to the manual

- Update section 'Terminal Keybindings' in the manual

- Clarify PGP Pseudo-header S<id> duration

- Code

- Clean up String API

- Make the Sidebar more independent

- De-centralise the Config Variables

- Refactor dialogs

- Refactor: Help Bar generation

- Make more APIs Context-free

- Adjust the edata use in Maildir and Notmuch

- Window refactoring

- Convert libsend to use Config functions

- Refactor notifications to reduce noise

- Convert Keymaps to use STAILQ

- Track currently selected email by msgid

- Config: no backing global variable

- Add events for key binding

- Upstream

- Fix imap postponed mailbox use-after-free error

- Speed up thread sort when many long threads exist

- Fix ~v tagging when switching to non-threaded sorting

- Add message/global to the list of known 'message' types

- Print progress meter when copying/saving tagged messages

- Remove ansi formatting from autoview generated quoted replies

- Change postpone mode to write Date header too

- Unstuff format=flowed

- Update to 20200626 :

- Bug Fixes

- Avoid opening the same hcache file twice

- Re-open Mailbox after folder-hook

- Fix the matching of the spoolfile Mailbox

- Fix link-thread to link all tagged emails

- Changed Config

- Add $tunnel_is_secure config, defaulting to true

- Upstream

- Don't check IMAP PREAUTH encryption if $tunnel is in use

- Add recommendation to use $ssl_force_tls

- Changes from 20200501 :

- Security

- Abort GnuTLS certificate check if a cert in the chain is rejected CVE-2020-14154 boo#1172906

- TLS: clear data after a starttls acknowledgement CVE-2020-14954 boo#1173197

- Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093 boo#1172935

- Features

- add config operations +=/-= for number,long

- Address book has a comment field

- Query menu has a comment field

- Contrib sample.neomuttrc-starter: Do not echo prompted password

- Bug Fixes

- make 'news://' and 'nntp://' schemes interchangeable

- Fix CRLF to LF conversion in base64 decoding

- Double comma in query

- compose: fix redraw after history

- Crash inside empty query menu

- mmdf: fix creating new mailbox

- mh: fix creating new mailbox

- mbox: error out when an mbox/mmdf is a pipe

- Fix list-reply by correct parsing of List-Post headers

- Decode references according to RFC2047

- fix tagged message count

- hcache: fix keylen not being considered when building the full key

- sidebar: fix path comparison

- Don't mess with the original pattern when running IMAP searches

- Handle IMAP 'NO' resps by issuing a msg instead of failing badly

- imap: use the connection delimiter if provided

- Memory leaks

- Changed Config

- $alias_format default changed to include %c comment

- $query_format default changed to include %e extra info

- Translations

- 100% Lithuanian

- 84% French

- Log the translation in use

- Docs

- Add missing commands unbind, unmacro to man pages

- Build

- Check size of long using LONG_MAX instead of __WORDSIZE

- Allow ./configure to not record cflags

- fix out-of-tree build

- Avoid locating gdbm symbols in qdbm library

- Code

- Refactor unsafe TAILQ returns

- add window notifications

- flip negative ifs

- Update to latest acutest.h

- test: add store tests

- test: add compression tests

- graphviz: email

- make more opcode info available

- refactor: main_change_folder()

- refactor: mutt_mailbox_next()

- refactor: generate_body()

- compress: add (min,max)_level to ComprOps

- emphasise empty loops: '// do nothing'

- prex: convert is_from() to use regex

- Refactor IMAP's search routines

- Update to 20200501 :

- Bug Fixes

- Make sure buffers are initialized on error

- fix(sidebar): use abbreviated path if possible

- Translations

- 100% Lithuanian

- Docs

- make header cache config more explicit

- Changes from 20200424 :

- Bug Fixes

- Fix history corruption

- Handle pretty much anything in a URL query part

- Correctly parse escaped characters in header phrases

- Fix crash reading received header

- Fix sidebar indentation

- Avoid crashing on failure to parse an IMAP mailbox

- Maildir: handle deleted emails correctly

- Ensure OP_NULL is always first

- Translations

- 100% Czech

- Build

- cirrus: enable pcre2, make pkgconf a special case

- Fix finding pcre2 w/o pkgconf

- build: tdb.h needs size_t, bring it in with stddef.h

- Changes from 20200417 :

- Features

- Fluid layout for Compose Screen, see:
vimeo.com/407231157

- Trivial Database (TDB) header cache backend

- RocksDB header cache backend

- Add <sidebar-first> and <sidebar-last> functions

- Bug Fixes

- add error for CLI empty emails

- Allow spaces and square brackets in paths

- browser: fix hidden mailboxes

- fix initial email display

- notmuch: fix time window search.

- fix resize bugs

- notmuch: fix entire-thread: update current email pointer

- sidebar: support indenting and shortening of names

- Handle variables inside backticks in sidebar_whitelist

- browser: fix mask regex error reporting

- Translations

- 100% Lithuanian

- 99% Chinese (simplified)

- Build

- Use regexes for common parsing tasks: urls, dates

- Add configure option --pcre2 -- Enable PCRE2 regular expressions

- Add configure option --tdb -- Use TDB for the header cache

- Add configure option --rocksdb -- Use RocksDB for the header cache

- Create libstore (key/value backends)

- Update to latest autosetup

- Update to latest acutest.h

- Rename doc/ directory to docs/

- make: fix location of .Po dependency files

- Change libcompress to be more universal

- Fix test fails on &#x445;32

- fix uidvalidity to unsigned 32-bit int

- Code

- Increase test coverage

- Fix memory leaks

- Fix null checks

- Upstream

- Buffer refactoring

- Fix use-after-free in mutt_str_replace()

- Clarify PGP Pseudo-header S<id> duration

- Try to respect MUTT_QUIET for IMAP contexts too

- Limit recurse depth when parsing mime messages

- Update to 20200320 :

- Bug Fixes

- Fix COLUMNS env var

- Fix sync after delete

- Fix crash in notmuch

- Fix sidebar indent

- Fix emptying trash

- Fix command line sending

- Fix reading large address lists

- Resolve symlinks only when necessary

- Translations

- lithuania 100% Lithuanian

- es 96% Spanish

- Docs

- Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output

- Fix case of GPGME and SQLite

- Build

- Create libcompress (lz4, zlib, zstd)

- Create libhistory

- Create libbcache

- Move zstrm to libconn

- Code

- Add more test coverage

- Rename magic to type

- Use mutt_file_fopen() on config variables

- Change commands to use intptr_t for data

- Update to 20200313 :

- Window layout

- Sidebar is only visible when it's usable.

- Features

- UI: add number of old messages to sidebar_format

- UI: support ISO 8601 calendar date

- UI: fix commands that don&rsquo;t need to have a non-empty mailbox to be valid

- PGP: inform about successful decryption of inline PGP messages

- PGP: try to infer the signing key from the From address

- PGP: enable GPGMe by default

- Notmuch: use query as name for vfolder-from-query

- IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)

- Header cache: add support for generic header cache compression

- Bug Fixes

- Fix uncollapse_jump

- Only try to perform entire-thread on maildir/mh mailboxes

- Fix crash in pager

- Avoid logging single new lines at the end of header fields

- Fix listing mailboxes

- Do not recurse a non-threaded message

- Fix initial window order

- Fix leaks on IMAP error paths

- Notmuch: compose(attach-message): support notmuch backend

- Fix IMAP flag comparison code

- Fix $move for IMAP mailboxes

- Maildir: maildir_mbox_check_stats should only update mailbox stats if requested

- Fix unmailboxes for virtual mailboxes

- Maildir: sanitize filename before hashing

- OAuth: if 'login' name isn't available use 'user'

- Add error message on failed encryption

- Fix a bunch of crashes

- Force C locale for email date

- Abort if run without a terminal

- Changed Config

- $crypt_use_gpgme - Now defaults to 'yes' (enabled)

- $abort_backspace - Hitting backspace against an empty prompt aborts the prompt

- $abort_key - String representation of key to abort prompts

- $arrow_string - Use an custom string for arrow_cursor

- $crypt_opportunistic_encrypt_strong_keys - Enable encryption only when strong a key is available

- $header_cache_compress_dictionary - Filepath to dictionary for zstd compression

- $header_cache_compress_level - Level of compression for method

- $header_cache_compress_method - Enable generic hcache database compression

- $imap_deflate - Compress network traffic

- $smtp_user - Username for the SMTP server

- Translations

- 100% Lithuanian

- 81% Spanish

- 78% Russian

- Build

- Add libdebug

- Rename public headers to lib.h

- Create libcompress for compressed folders code

- Code

- Refactor Windows and Dialogs

- Lots of code tidying

- Refactor: mutt_addrlist_(search,write)

- Lots of improvements to the Config code

- Use Buffers more pervasively

- Unify API function naming

- Rename library shared headers

- Refactor libconn gui dependencies

- Refactor: init.[ch]

- Refactor config to use subsets

- Config: add path type

- Remove backend deps from the connection code

- Upstream

- Allow ~b ~B ~h patterns in send2-hook

- Rename smime oppenc mode parameter to get_keys_by_addr()

- Add $crypt_opportunistic_encrypt_strong_keys config var

- Fix crash when polling a closed ssl connection

- Turn off auto-clear outside of autocrypt initialization

- Add protected-headers='v1' to Content-Type when protecting headers

- Fix segv in IMAP postponed menu caused by reopen_allow

- Adding ISO 8601 calendar date

- Fix $fcc_attach to not prompt in batch mode

- Convert remaining mutt_encode_path() call to use struct Buffer

- Fix rendering of replacement_char when Charset_is_utf8

- Update to latest acutest.h

- Update to 20191207 :

- Features :

- compose: draw status bar with highlights

- Bug Fixes :

- crash opening notmuch mailbox

- crash in mutt_autocrypt_ui_recommendation

- Avoid negative allocation

- Mbox new mail

- Setting of DT_MAILBOX type variables from Lua

- imap: empty cmdbuf before connecting

- imap: select the mailbox on reconnect

- compose: fix attach message

- Build :

- make files conditional

- Code :

- enum-ify log levels

- fix function prototypes

- refactor virtual email lookups

- factor out global Context

- Changes from 20191129 :

- Features :

- Add raw mailsize expando (%cr)

- Bug Fixes :

- Avoid double question marks in bounce confirmation msg

- Fix bounce confirmation

- fix new-mail flags and behaviour

- fix: browser <descend-directory>

- fix ssl crash

- fix move to trash

- fix flickering

- Do not check hidden mailboxes for new mail

- Fix new_mail_command notifications

- fix crash in examine_mailboxes()

- fix crash in mutt_sort_threads()

- fix: crash after sending

- Fix crash in tunnel's conn_close

- fix fcc for deep dirs

- imap: fix crash when new mail arrives

- fix colour 'quoted9'

- quieten messages on exit

- fix: crash after failed mbox_check

- browser: default to a file/dir view when attaching a file

- Changed Config :

- Change $write_bcc to default off

- Docs :

- Add a bit more documentation about sending

- Clarify $write_bcc documentation.

- Update documentation for raw size expando

- docbook: set generate.consistent.ids to make generated html reproducible

- Build :

- fix build/tests for 32-bit arches

- tests: fix test that would fail soon

- tests: fix context for failing idna tests

- Update to 20191111: Bug fixes :

- browser: fix directory view

- fix crash in mutt_extract_token()

- force a screen refresh

- fix crash sending message from command line

- notmuch: use nm_default_uri if no mailbox data

- fix forward attachments

- fix: vfprintf undefined behaviour in body_handler

- Fix relative symlink resolution

- fix: trash to non-existent file/dir

- fix re-opening of mbox Mailboxes

- close logging as late as possible

- log unknown mailboxes

- fix crash in command line postpone

- fix memory leaks

- fix icommand parsing

- fix new mail interaction with mail_check_recent

Solution

Update the affected neomutt packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1172906

https://bugzilla.opensuse.org/show_bug.cgi?id=1172935

https://bugzilla.opensuse.org/show_bug.cgi?id=1173197

https://bugzilla.opensuse.org/show_bug.cgi?id=1179035

https://bugzilla.opensuse.org/show_bug.cgi?id=1179113

Plugin Details

Severity: Medium

ID: 143462

File Name: openSUSE-2020-2127.nasl

Version: 1.4

Type: local

Agent: unix

Published: 12/3/2020

Updated: 2/7/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2020-14154

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-14954

Vulnerability Information

CPE: cpe:/o:novell:opensuse:15.1, p-cpe:/a:novell:opensuse:neomutt, p-cpe:/a:novell:opensuse:neomutt-lang, cpe:/o:novell:opensuse:15.2, p-cpe:/a:novell:opensuse:neomutt-debuginfo, p-cpe:/a:novell:opensuse:neomutt-debugsource

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/30/2020

Vulnerability Publication Date: 6/15/2020

Reference Information

CVE: CVE-2020-14093, CVE-2020-14154, CVE-2020-14954, CVE-2020-28896