Detections
Analytics

openSUSE Security Update : neomutt (openSUSE-2020-2127)

medium Nessus Plugin ID 143462

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for neomutt fixes the following issues :

Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.

 - Security

 - imap: close connection on all failures

 - Features

 - alias: add function to Alias/Query dialogs

 - config: add validators for (imap,smtp,pop)_authenticators

 - config: warn when signature file is missing or not readable

 - smtp: support for native SMTP LOGIN auth mech

 - notmuch: show originating folder in index

 - Bug Fixes

 - sidebar: prevent the divider colour bleeding out

 - sidebar: fix <sidebar-(next,prev)-new>

 - notmuch: fix query for current email

 - restore shutdown-hook functionality

 - crash in reply-to

 - user-after-free in folder-hook

 - fix some leaks

 - fix application of limits to modified mailboxes

 - write Date header when postponing

 - Translations

 - 100% Lithuanian

 - 100% Czech

 - 70% Turkish

 - Docs

 - Document that $sort_alias affects the query menu

 - Build

 - improve ASAN flags

 - add SASL and S/MIME to --everything

 - fix contrib (un)install

 - Code

 - my_hdr compose screen notifications

 - add contracts to the MXAPI

 - maildir refactoring

 - further reduce the use of global variables

 - Upstream

 - Add $count_alternatives to count attachments inside alternatives

 - Changes from 20200925

 - Features

 - Compose: display user-defined headers

 - Address Book / Query: live sorting

 - Address Book / Query: patterns for searching

 - Config: Add '+=' and '-=' operators for String Lists

 - Config: Add '+=' operator for Strings

 - Allow postfix query ':setenv NAME?' for env vars

 - Bug Fixes

 - Fix crash when searching with invalid regexes

 - Compose: Prevent infinite loop of send2-hooks

 - Fix sidebar on new/removed mailboxes

 - Restore indentation for named mailboxes

 - Prevent half-parsing an alias

 - Remove folder creation prompt for POP path

 - Show error if $message_cachedir doesn't point to a valid directory

 - Fix tracking LastDir in case of IMAP paths with Unicode characters

 - Make sure all mail gets applied the index limit

 - Add warnings to -Q query CLI option

 - Fix index tracking functionality

 - Changed Config

 - Add $compose_show_user_headers (yes)

 - Translations

 - 100% Czech

 - 100% Lithuanian

 - Split up usage strings

 - Build

 - Run shellcheck on hcachever.sh

 - Add the Address Sanitizer

 - Move compose files to lib under compose/

 - Move address config into libaddress

 - Update to latest acutest - fixes a memory leak in the unit tests

 - Code

 - Implement ARRAY API

 - Deglobalised the Config Sort functions

 - Refactor the Sidebar to be Event-Driven

 - Refactor the Color Event

 - Refactor the Commands list

 - Make ctx_update_tables private

 - Reduce the scope/deps of some Validator functions

 - Use the Email's IMAP UID instead of an increasing number as index

 - debug: log window focus

 - Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch.
 No longer needed.

 - Update to 20200821 :

 - Bug Fixes

 - fix maildir flag generation

 - fix query notmuch if file is missing

 - notmuch: don't abort sync on error

 - fix type checking for send config variables

 - Changed Config

 - $sidebar_format - Use %D rather than %B for named mailboxes

 - Translations

 - 96% Lithuanian

 - 90% Polish

 - fix(sidebar): abbreviate/shorten what user sees

 - Fix sidebar mailbox name display problem.

- Update to 20200814 :

 - Notes

 - Add one-liner docs to config items See: neomutt -O -Q smart_wrap

 - Remove the built-in editor A large unused and unusable feature

 - Security

 - Add mitigation against DoS from thousands of parts boo#1179113

 - Features

 - Allow index-style searching in postpone menu

 - Open NeoMutt using a mailbox name

 - Add cd command to change the current working directory

 - Add tab-completion menu for patterns

 - Allow renaming existing mailboxes

 - Check for missing attachments in alternative parts

 - Add one-liner docs to config items

 - Bug Fixes

 - Fix logic in checking an empty From address

 - Fix Imap crash in cmd_parse_expunge()

 - Fix setting attributes with S-Lang

 - Fix: redrawing of $pager_index_lines

 - Fix progress percentage for syncing large mboxes

 - Fix sidebar drawing in presence of indentation + named mailboxes

 - Fix retrieval of drafts when 'postponed' is not in the mailboxes list

 - Do not add comments to address group terminators

 - Fix alias sorting for degenerate addresses

 - Fix attaching emails

 - Create directories for nonexistent file hcache case

 - Avoid creating mailboxes for failed subscribes

 - Fix crash if rejecting cert

 - Changed Config

 - Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed

 - Change default of $crypt_protected_headers_subject to '...'

 - Add default keybindings to history-up/down

 - Translations

 - 100% Czech

 - 100% Spanish

 - Build

 - Allow building against Lua 5.4

 - Fix when sqlite3.h is missing

 - Docs

 - Add a brief section on stty to the manual

 - Update section 'Terminal Keybindings' in the manual

 - Clarify PGP Pseudo-header S<id> duration

 - Code

 - Clean up String API

 - Make the Sidebar more independent

 - De-centralise the Config Variables

 - Refactor dialogs

 - Refactor: Help Bar generation

 - Make more APIs Context-free

 - Adjust the edata use in Maildir and Notmuch

 - Window refactoring

 - Convert libsend to use Config functions

 - Refactor notifications to reduce noise

 - Convert Keymaps to use STAILQ

 - Track currently selected email by msgid

 - Config: no backing global variable

 - Add events for key binding

 - Upstream

 - Fix imap postponed mailbox use-after-free error

 - Speed up thread sort when many long threads exist

 - Fix ~v tagging when switching to non-threaded sorting

 - Add message/global to the list of known 'message' types

 - Print progress meter when copying/saving tagged messages

 - Remove ansi formatting from autoview generated quoted replies

 - Change postpone mode to write Date header too

 - Unstuff format=flowed

 - Update to 20200626 :

 - Bug Fixes

 - Avoid opening the same hcache file twice

 - Re-open Mailbox after folder-hook

 - Fix the matching of the spoolfile Mailbox

 - Fix link-thread to link all tagged emails

 - Changed Config

 - Add $tunnel_is_secure config, defaulting to true

 - Upstream

 - Don't check IMAP PREAUTH encryption if $tunnel is in use

 - Add recommendation to use $ssl_force_tls

 - Changes from 20200501 :

 - Security

 - Abort GnuTLS certificate check if a cert in the chain is rejected CVE-2020-14154 boo#1172906

 - TLS: clear data after a starttls acknowledgement CVE-2020-14954 boo#1173197

 - Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093 boo#1172935

 - Features

 - add config operations +=/-= for number,long

 - Address book has a comment field

 - Query menu has a comment field

 - Contrib sample.neomuttrc-starter: Do not echo prompted password

 - Bug Fixes

 - make 'news://' and 'nntp://' schemes interchangeable

 - Fix CRLF to LF conversion in base64 decoding

 - Double comma in query

 - compose: fix redraw after history

 - Crash inside empty query menu

 - mmdf: fix creating new mailbox

 - mh: fix creating new mailbox

 - mbox: error out when an mbox/mmdf is a pipe

 - Fix list-reply by correct parsing of List-Post headers

 - Decode references according to RFC2047

 - fix tagged message count

 - hcache: fix keylen not being considered when building the full key

 - sidebar: fix path comparison

 - Don't mess with the original pattern when running IMAP searches

 - Handle IMAP 'NO' resps by issuing a msg instead of failing badly

 - imap: use the connection delimiter if provided

 - Memory leaks

 - Changed Config

 - $alias_format default changed to include %c comment

 - $query_format default changed to include %e extra info

 - Translations

 - 100% Lithuanian

 - 84% French

 - Log the translation in use

 - Docs

 - Add missing commands unbind, unmacro to man pages

 - Build

 - Check size of long using LONG_MAX instead of __WORDSIZE

 - Allow ./configure to not record cflags

 - fix out-of-tree build

 - Avoid locating gdbm symbols in qdbm library

 - Code

 - Refactor unsafe TAILQ returns

 - add window notifications

 - flip negative ifs

 - Update to latest acutest.h

 - test: add store tests

 - test: add compression tests

 - graphviz: email

 - make more opcode info available

 - refactor: main_change_folder()

 - refactor: mutt_mailbox_next()

 - refactor: generate_body()

 - compress: add (min,max)_level to ComprOps

 - emphasise empty loops: '// do nothing'

 - prex: convert is_from() to use regex

 - Refactor IMAP's search routines

 - Update to 20200501 :

 - Bug Fixes

 - Make sure buffers are initialized on error

 - fix(sidebar): use abbreviated path if possible

 - Translations

 - 100% Lithuanian

 - Docs

 - make header cache config more explicit

 - Changes from 20200424 :

 - Bug Fixes

 - Fix history corruption

 - Handle pretty much anything in a URL query part

 - Correctly parse escaped characters in header phrases

 - Fix crash reading received header

 - Fix sidebar indentation

 - Avoid crashing on failure to parse an IMAP mailbox

 - Maildir: handle deleted emails correctly

 - Ensure OP_NULL is always first

 - Translations

 - 100% Czech

 - Build

 - cirrus: enable pcre2, make pkgconf a special case

 - Fix finding pcre2 w/o pkgconf

 - build: tdb.h needs size_t, bring it in with stddef.h

 - Changes from 20200417 :

 - Features

 - Fluid layout for Compose Screen, see:
 vimeo.com/407231157

 - Trivial Database (TDB) header cache backend

 - RocksDB header cache backend

 - Add <sidebar-first> and <sidebar-last> functions

 - Bug Fixes

 - add error for CLI empty emails

 - Allow spaces and square brackets in paths

 - browser: fix hidden mailboxes

 - fix initial email display

 - notmuch: fix time window search.

 - fix resize bugs

 - notmuch: fix entire-thread: update current email pointer

 - sidebar: support indenting and shortening of names

 - Handle variables inside backticks in sidebar_whitelist

 - browser: fix mask regex error reporting

 - Translations

 - 100% Lithuanian

 - 99% Chinese (simplified)

 - Build

 - Use regexes for common parsing tasks: urls, dates

 - Add configure option --pcre2 -- Enable PCRE2 regular expressions

 - Add configure option --tdb -- Use TDB for the header cache

 - Add configure option --rocksdb -- Use RocksDB for the header cache

 - Create libstore (key/value backends)

 - Update to latest autosetup

 - Update to latest acutest.h

 - Rename doc/ directory to docs/

 - make: fix location of .Po dependency files

 - Change libcompress to be more universal

 - Fix test fails on &#x445;32

 - fix uidvalidity to unsigned 32-bit int

 - Code

 - Increase test coverage

 - Fix memory leaks

 - Fix null checks

 - Upstream

 - Buffer refactoring

 - Fix use-after-free in mutt_str_replace()

 - Clarify PGP Pseudo-header S<id> duration

 - Try to respect MUTT_QUIET for IMAP contexts too

 - Limit recurse depth when parsing mime messages

 - Update to 20200320 :

 - Bug Fixes

 - Fix COLUMNS env var

 - Fix sync after delete

 - Fix crash in notmuch

 - Fix sidebar indent

 - Fix emptying trash

 - Fix command line sending

 - Fix reading large address lists

 - Resolve symlinks only when necessary

 - Translations

 - lithuania 100% Lithuanian

 - es 96% Spanish

 - Docs

 - Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output

 - Fix case of GPGME and SQLite

 - Build

 - Create libcompress (lz4, zlib, zstd)

 - Create libhistory

 - Create libbcache

 - Move zstrm to libconn

 - Code

 - Add more test coverage

 - Rename magic to type

 - Use mutt_file_fopen() on config variables

 - Change commands to use intptr_t for data

 - Update to 20200313 :

 - Window layout

 - Sidebar is only visible when it's usable.

 - Features

 - UI: add number of old messages to sidebar_format

 - UI: support ISO 8601 calendar date

 - UI: fix commands that don&rsquo;t need to have a non-empty mailbox to be valid

 - PGP: inform about successful decryption of inline PGP messages

 - PGP: try to infer the signing key from the From address

 - PGP: enable GPGMe by default

 - Notmuch: use query as name for vfolder-from-query

 - IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)

 - Header cache: add support for generic header cache compression

 - Bug Fixes

 - Fix uncollapse_jump

 - Only try to perform entire-thread on maildir/mh mailboxes

 - Fix crash in pager

 - Avoid logging single new lines at the end of header fields

 - Fix listing mailboxes

 - Do not recurse a non-threaded message

 - Fix initial window order

 - Fix leaks on IMAP error paths

 - Notmuch: compose(attach-message): support notmuch backend

 - Fix IMAP flag comparison code

 - Fix $move for IMAP mailboxes

 - Maildir: maildir_mbox_check_stats should only update mailbox stats if requested

 - Fix unmailboxes for virtual mailboxes

 - Maildir: sanitize filename before hashing

 - OAuth: if 'login' name isn't available use 'user'

 - Add error message on failed encryption

 - Fix a bunch of crashes

 - Force C locale for email date

 - Abort if run without a terminal

 - Changed Config

 - $crypt_use_gpgme - Now defaults to 'yes' (enabled)

 - $abort_backspace - Hitting backspace against an empty prompt aborts the prompt

 - $abort_key - String representation of key to abort prompts

 - $arrow_string - Use an custom string for arrow_cursor

 - $crypt_opportunistic_encrypt_strong_keys - Enable encryption only when strong a key is available

 - $header_cache_compress_dictionary - Filepath to dictionary for zstd compression

 - $header_cache_compress_level - Level of compression for method

 - $header_cache_compress_method - Enable generic hcache database compression

 - $imap_deflate - Compress network traffic

 - $smtp_user - Username for the SMTP server

 - Translations

 - 100% Lithuanian

 - 81% Spanish

 - 78% Russian

 - Build

 - Add libdebug

 - Rename public headers to lib.h

 - Create libcompress for compressed folders code

 - Code

 - Refactor Windows and Dialogs

 - Lots of code tidying

 - Refactor: mutt_addrlist_(search,write)

 - Lots of improvements to the Config code

 - Use Buffers more pervasively

 - Unify API function naming

 - Rename library shared headers

 - Refactor libconn gui dependencies

 - Refactor: init.[ch]

 - Refactor config to use subsets

 - Config: add path type

 - Remove backend deps from the connection code

 - Upstream

 - Allow ~b ~B ~h patterns in send2-hook

 - Rename smime oppenc mode parameter to get_keys_by_addr()

 - Add $crypt_opportunistic_encrypt_strong_keys config var

 - Fix crash when polling a closed ssl connection

 - Turn off auto-clear outside of autocrypt initialization

 - Add protected-headers='v1' to Content-Type when protecting headers

 - Fix segv in IMAP postponed menu caused by reopen_allow

 - Adding ISO 8601 calendar date

 - Fix $fcc_attach to not prompt in batch mode

 - Convert remaining mutt_encode_path() call to use struct Buffer

 - Fix rendering of replacement_char when Charset_is_utf8

 - Update to latest acutest.h

 - Update to 20191207 :

 - Features :

 - compose: draw status bar with highlights

 - Bug Fixes :

 - crash opening notmuch mailbox

 - crash in mutt_autocrypt_ui_recommendation

 - Avoid negative allocation

 - Mbox new mail

 - Setting of DT_MAILBOX type variables from Lua

 - imap: empty cmdbuf before connecting

 - imap: select the mailbox on reconnect

 - compose: fix attach message

 - Build :

 - make files conditional

 - Code :

 - enum-ify log levels

 - fix function prototypes

 - refactor virtual email lookups

 - factor out global Context

 - Changes from 20191129 :

 - Features :

 - Add raw mailsize expando (%cr)

 - Bug Fixes :

 - Avoid double question marks in bounce confirmation msg

 - Fix bounce confirmation

 - fix new-mail flags and behaviour

 - fix: browser <descend-directory>

 - fix ssl crash

 - fix move to trash

 - fix flickering

 - Do not check hidden mailboxes for new mail

 - Fix new_mail_command notifications

 - fix crash in examine_mailboxes()

 - fix crash in mutt_sort_threads()

 - fix: crash after sending

 - Fix crash in tunnel's conn_close

 - fix fcc for deep dirs

 - imap: fix crash when new mail arrives

 - fix colour 'quoted9'

 - quieten messages on exit

 - fix: crash after failed mbox_check

 - browser: default to a file/dir view when attaching a file

 - Changed Config :

 - Change $write_bcc to default off

 - Docs :

 - Add a bit more documentation about sending

 - Clarify $write_bcc documentation.

 - Update documentation for raw size expando

 - docbook: set generate.consistent.ids to make generated html reproducible

 - Build :

 - fix build/tests for 32-bit arches

 - tests: fix test that would fail soon

 - tests: fix context for failing idna tests

 - Update to 20191111: Bug fixes :

 - browser: fix directory view

 - fix crash in mutt_extract_token()

 - force a screen refresh

 - fix crash sending message from command line

 - notmuch: use nm_default_uri if no mailbox data

 - fix forward attachments

 - fix: vfprintf undefined behaviour in body_handler

 - Fix relative symlink resolution

 - fix: trash to non-existent file/dir

 - fix re-opening of mbox Mailboxes

 - close logging as late as possible

 - log unknown mailboxes

 - fix crash in command line postpone

 - fix memory leaks

 - fix icommand parsing

 - fix new mail interaction with mail_check_recent

Solution

Update the affected neomutt packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1172906

https://bugzilla.opensuse.org/show_bug.cgi?id=1172935

https://bugzilla.opensuse.org/show_bug.cgi?id=1173197

https://bugzilla.opensuse.org/show_bug.cgi?id=1179035

https://bugzilla.opensuse.org/show_bug.cgi?id=1179113

Plugin Details

Severity: Medium

ID: 143462

File Name: openSUSE-2020-2127.nasl

Version: 1.4

Type: local

Agent: unix

Published: 12/3/2020

Updated: 2/7/2024

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2020-14154

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-14954

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:neomutt, p-cpe:/a:novell:opensuse:neomutt-debuginfo, p-cpe:/a:novell:opensuse:neomutt-debugsource, p-cpe:/a:novell:opensuse:neomutt-lang, cpe:/o:novell:opensuse:15.1, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/30/2020

Vulnerability Publication Date: 6/15/2020

Reference Information

CVE: CVE-2020-14093, CVE-2020-14154, CVE-2020-14954, CVE-2020-28896