openSUSE Security Update : neomutt (openSUSE-2020-2127)

medium Nessus Plugin ID 143462
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 3.6

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for neomutt fixes the following issues :

Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.

- Security

- imap: close connection on all failures

- Features

- alias: add function to Alias/Query dialogs

- config: add validators for (imap,smtp,pop)_authenticators

- config: warn when signature file is missing or not readable

- smtp: support for native SMTP LOGIN auth mech

- notmuch: show originating folder in index

- Bug Fixes

- sidebar: prevent the divider colour bleeding out

- sidebar: fix <sidebar-(next,prev)-new>

- notmuch: fix query for current email

- restore shutdown-hook functionality

- crash in reply-to

- user-after-free in folder-hook

- fix some leaks

- fix application of limits to modified mailboxes

- write Date header when postponing

- Translations

- 100% Lithuanian

- 100% Czech

- 70% Turkish

- Docs

- Document that $sort_alias affects the query menu

- Build

- improve ASAN flags

- add SASL and S/MIME to --everything

- fix contrib (un)install

- Code

- my_hdr compose screen notifications

- add contracts to the MXAPI

- maildir refactoring

- further reduce the use of global variables

- Upstream

- Add $count_alternatives to count attachments inside alternatives

- Changes from 20200925

- Features

- Compose: display user-defined headers

- Address Book / Query: live sorting

- Address Book / Query: patterns for searching

- Config: Add '+=' and '-=' operators for String Lists

- Config: Add '+=' operator for Strings

- Allow postfix query ':setenv NAME?' for env vars

- Bug Fixes

- Fix crash when searching with invalid regexes

- Compose: Prevent infinite loop of send2-hooks

- Fix sidebar on new/removed mailboxes

- Restore indentation for named mailboxes

- Prevent half-parsing an alias

- Remove folder creation prompt for POP path

- Show error if $message_cachedir doesn't point to a valid directory

- Fix tracking LastDir in case of IMAP paths with Unicode characters

- Make sure all mail gets applied the index limit

- Add warnings to -Q query CLI option

- Fix index tracking functionality

- Changed Config

- Add $compose_show_user_headers (yes)

- Translations

- 100% Czech

- 100% Lithuanian

- Split up usage strings

- Build

- Run shellcheck on hcachever.sh

- Add the Address Sanitizer

- Move compose files to lib under compose/

- Move address config into libaddress

- Update to latest acutest - fixes a memory leak in the unit tests

- Code

- Implement ARRAY API

- Deglobalised the Config Sort functions

- Refactor the Sidebar to be Event-Driven

- Refactor the Color Event

- Refactor the Commands list

- Make ctx_update_tables private

- Reduce the scope/deps of some Validator functions

- Use the Email's IMAP UID instead of an increasing number as index

- debug: log window focus

- Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch.
No longer needed.

- Update to 20200821 :

- Bug Fixes

- fix maildir flag generation

- fix query notmuch if file is missing

- notmuch: don't abort sync on error

- fix type checking for send config variables

- Changed Config

- $sidebar_format - Use %D rather than %B for named mailboxes

- Translations

- 96% Lithuanian

- 90% Polish

- fix(sidebar): abbreviate/shorten what user sees

- Fix sidebar mailbox name display problem.

- Update to 20200814 :

- Notes

- Add one-liner docs to config items See: neomutt -O -Q smart_wrap

- Remove the built-in editor A large unused and unusable feature

- Security

- Add mitigation against DoS from thousands of parts boo#1179113

- Features

- Allow index-style searching in postpone menu

- Open NeoMutt using a mailbox name

- Add cd command to change the current working directory

- Add tab-completion menu for patterns

- Allow renaming existing mailboxes

- Check for missing attachments in alternative parts

- Add one-liner docs to config items

- Bug Fixes

- Fix logic in checking an empty From address

- Fix Imap crash in cmd_parse_expunge()

- Fix setting attributes with S-Lang

- Fix: redrawing of $pager_index_lines

- Fix progress percentage for syncing large mboxes

- Fix sidebar drawing in presence of indentation + named mailboxes

- Fix retrieval of drafts when 'postponed' is not in the mailboxes list

- Do not add comments to address group terminators

- Fix alias sorting for degenerate addresses

- Fix attaching emails

- Create directories for nonexistent file hcache case

- Avoid creating mailboxes for failed subscribes

- Fix crash if rejecting cert

- Changed Config

- Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed

- Change default of $crypt_protected_headers_subject to '...'

- Add default keybindings to history-up/down

- Translations

- 100% Czech

- 100% Spanish

- Build

- Allow building against Lua 5.4

- Fix when sqlite3.h is missing

- Docs

- Add a brief section on stty to the manual

- Update section 'Terminal Keybindings' in the manual

- Clarify PGP Pseudo-header S<id> duration

- Code

- Clean up String API

- Make the Sidebar more independent

- De-centralise the Config Variables

- Refactor dialogs

- Refactor: Help Bar generation

- Make more APIs Context-free

- Adjust the edata use in Maildir and Notmuch

- Window refactoring

- Convert libsend to use Config functions

- Refactor notifications to reduce noise

- Convert Keymaps to use STAILQ

- Track currently selected email by msgid

- Config: no backing global variable

- Add events for key binding

- Upstream

- Fix imap postponed mailbox use-after-free error

- Speed up thread sort when many long threads exist

- Fix ~v tagging when switching to non-threaded sorting

- Add message/global to the list of known 'message' types

- Print progress meter when copying/saving tagged messages

- Remove ansi formatting from autoview generated quoted replies

- Change postpone mode to write Date header too

- Unstuff format=flowed

- Update to 20200626 :

- Bug Fixes

- Avoid opening the same hcache file twice

- Re-open Mailbox after folder-hook

- Fix the matching of the spoolfile Mailbox

- Fix link-thread to link all tagged emails

- Changed Config

- Add $tunnel_is_secure config, defaulting to true

- Upstream

- Don't check IMAP PREAUTH encryption if $tunnel is in use

- Add recommendation to use $ssl_force_tls

- Changes from 20200501 :

- Security

- Abort GnuTLS certificate check if a cert in the chain is rejected CVE-2020-14154 boo#1172906

- TLS: clear data after a starttls acknowledgement CVE-2020-14954 boo#1173197

- Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093 boo#1172935

- Features

- add config operations +=/-= for number,long

- Address book has a comment field

- Query menu has a comment field

- Contrib sample.neomuttrc-starter: Do not echo prompted password

- Bug Fixes

- make 'news://' and 'nntp://' schemes interchangeable

- Fix CRLF to LF conversion in base64 decoding

- Double comma in query

- compose: fix redraw after history

- Crash inside empty query menu

- mmdf: fix creating new mailbox

- mh: fix creating new mailbox

- mbox: error out when an mbox/mmdf is a pipe

- Fix list-reply by correct parsing of List-Post headers

- Decode references according to RFC2047

- fix tagged message count

- hcache: fix keylen not being considered when building the full key

- sidebar: fix path comparison

- Don't mess with the original pattern when running IMAP searches

- Handle IMAP 'NO' resps by issuing a msg instead of failing badly

- imap: use the connection delimiter if provided

- Memory leaks

- Changed Config

- $alias_format default changed to include %c comment

- $query_format default changed to include %e extra info

- Translations

- 100% Lithuanian

- 84% French

- Log the translation in use

- Docs

- Add missing commands unbind, unmacro to man pages

- Build

- Check size of long using LONG_MAX instead of __WORDSIZE

- Allow ./configure to not record cflags

- fix out-of-tree build

- Avoid locating gdbm symbols in qdbm library

- Code

- Refactor unsafe TAILQ returns

- add window notifications

- flip negative ifs

- Update to latest acutest.h

- test: add store tests

- test: add compression tests

- graphviz: email

- make more opcode info available

- refactor: main_change_folder()

- refactor: mutt_mailbox_next()

- refactor: generate_body()

- compress: add (min,max)_level to ComprOps

- emphasise empty loops: '// do nothing'

- prex: convert is_from() to use regex

- Refactor IMAP's search routines

- Update to 20200501 :

- Bug Fixes

- Make sure buffers are initialized on error

- fix(sidebar): use abbreviated path if possible

- Translations

- 100% Lithuanian

- Docs

- make header cache config more explicit

- Changes from 20200424 :

- Bug Fixes

- Fix history corruption

- Handle pretty much anything in a URL query part

- Correctly parse escaped characters in header phrases

- Fix crash reading received header

- Fix sidebar indentation

- Avoid crashing on failure to parse an IMAP mailbox

- Maildir: handle deleted emails correctly

- Ensure OP_NULL is always first

- Translations

- 100% Czech

- Build

- cirrus: enable pcre2, make pkgconf a special case

- Fix finding pcre2 w/o pkgconf

- build: tdb.h needs size_t, bring it in with stddef.h

- Changes from 20200417 :

- Features

- Fluid layout for Compose Screen, see:
vimeo.com/407231157

- Trivial Database (TDB) header cache backend

- RocksDB header cache backend

- Add <sidebar-first> and <sidebar-last> functions

- Bug Fixes

- add error for CLI empty emails

- Allow spaces and square brackets in paths

- browser: fix hidden mailboxes

- fix initial email display

- notmuch: fix time window search.

- fix resize bugs

- notmuch: fix entire-thread: update current email pointer

- sidebar: support indenting and shortening of names

- Handle variables inside backticks in sidebar_whitelist

- browser: fix mask regex error reporting

- Translations

- 100% Lithuanian

- 99% Chinese (simplified)

- Build

- Use regexes for common parsing tasks: urls, dates

- Add configure option --pcre2 -- Enable PCRE2 regular expressions

- Add configure option --tdb -- Use TDB for the header cache

- Add configure option --rocksdb -- Use RocksDB for the header cache

- Create libstore (key/value backends)

- Update to latest autosetup

- Update to latest acutest.h

- Rename doc/ directory to docs/

- make: fix location of .Po dependency files

- Change libcompress to be more universal

- Fix test fails on &#x445;32

- fix uidvalidity to unsigned 32-bit int

- Code

- Increase test coverage

- Fix memory leaks

- Fix null checks

- Upstream

- Buffer refactoring

- Fix use-after-free in mutt_str_replace()

- Clarify PGP Pseudo-header S<id> duration

- Try to respect MUTT_QUIET for IMAP contexts too

- Limit recurse depth when parsing mime messages

- Update to 20200320 :

- Bug Fixes

- Fix COLUMNS env var

- Fix sync after delete

- Fix crash in notmuch

- Fix sidebar indent

- Fix emptying trash

- Fix command line sending

- Fix reading large address lists

- Resolve symlinks only when necessary

- Translations

- lithuania 100% Lithuanian

- es 96% Spanish

- Docs

- Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output

- Fix case of GPGME and SQLite

- Build

- Create libcompress (lz4, zlib, zstd)

- Create libhistory

- Create libbcache

- Move zstrm to libconn

- Code

- Add more test coverage

- Rename magic to type

- Use mutt_file_fopen() on config variables

- Change commands to use intptr_t for data

- Update to 20200313 :

- Window layout

- Sidebar is only visible when it's usable.

- Features

- UI: add number of old messages to sidebar_format

- UI: support ISO 8601 calendar date

- UI: fix commands that don&rsquo;t need to have a non-empty mailbox to be valid

- PGP: inform about successful decryption of inline PGP messages

- PGP: try to infer the signing key from the From address

- PGP: enable GPGMe by default

- Notmuch: use query as name for vfolder-from-query

- IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)

- Header cache: add support for generic header cache compression

- Bug Fixes

- Fix uncollapse_jump

- Only try to perform entire-thread on maildir/mh mailboxes

- Fix crash in pager

- Avoid logging single new lines at the end of header fields

- Fix listing mailboxes

- Do not recurse a non-threaded message

- Fix initial window order

- Fix leaks on IMAP error paths

- Notmuch: compose(attach-message): support notmuch backend

- Fix IMAP flag comparison code

- Fix $move for IMAP mailboxes

- Maildir: maildir_mbox_check_stats should only update mailbox stats if requested

- Fix unmailboxes for virtual mailboxes

- Maildir: sanitize filename before hashing

- OAuth: if 'login' name isn't available use 'user'

- Add error message on failed encryption

- Fix a bunch of crashes

- Force C locale for email date

- Abort if run without a terminal

- Changed Config

- $crypt_use_gpgme - Now defaults to 'yes' (enabled)

- $abort_backspace - Hitting backspace against an empty prompt aborts the prompt

- $abort_key - String representation of key to abort prompts

- $arrow_string - Use an custom string for arrow_cursor

- $crypt_opportunistic_encrypt_strong_keys - Enable encryption only when strong a key is available

- $header_cache_compress_dictionary - Filepath to dictionary for zstd compression

- $header_cache_compress_level - Level of compression for method

- $header_cache_compress_method - Enable generic hcache database compression

- $imap_deflate - Compress network traffic

- $smtp_user - Username for the SMTP server

- Translations

- 100% Lithuanian

- 81% Spanish

- 78% Russian

- Build

- Add libdebug

- Rename public headers to lib.h

- Create libcompress for compressed folders code

- Code

- Refactor Windows and Dialogs

- Lots of code tidying

- Refactor: mutt_addrlist_(search,write)

- Lots of improvements to the Config code

- Use Buffers more pervasively

- Unify API function naming

- Rename library shared headers

- Refactor libconn gui dependencies

- Refactor: init.[ch]

- Refactor config to use subsets

- Config: add path type

- Remove backend deps from the connection code

- Upstream

- Allow ~b ~B ~h patterns in send2-hook

- Rename smime oppenc mode parameter to get_keys_by_addr()

- Add $crypt_opportunistic_encrypt_strong_keys config var

- Fix crash when polling a closed ssl connection

- Turn off auto-clear outside of autocrypt initialization

- Add protected-headers='v1' to Content-Type when protecting headers

- Fix segv in IMAP postponed menu caused by reopen_allow

- Adding ISO 8601 calendar date

- Fix $fcc_attach to not prompt in batch mode

- Convert remaining mutt_encode_path() call to use struct Buffer

- Fix rendering of replacement_char when Charset_is_utf8

- Update to latest acutest.h

- Update to 20191207 :

- Features :

- compose: draw status bar with highlights

- Bug Fixes :

- crash opening notmuch mailbox

- crash in mutt_autocrypt_ui_recommendation

- Avoid negative allocation

- Mbox new mail

- Setting of DT_MAILBOX type variables from Lua

- imap: empty cmdbuf before connecting

- imap: select the mailbox on reconnect

- compose: fix attach message

- Build :

- make files conditional

- Code :

- enum-ify log levels

- fix function prototypes

- refactor virtual email lookups

- factor out global Context

- Changes from 20191129 :

- Features :

- Add raw mailsize expando (%cr)

- Bug Fixes :

- Avoid double question marks in bounce confirmation msg

- Fix bounce confirmation

- fix new-mail flags and behaviour

- fix: browser <descend-directory>

- fix ssl crash

- fix move to trash

- fix flickering

- Do not check hidden mailboxes for new mail

- Fix new_mail_command notifications

- fix crash in examine_mailboxes()

- fix crash in mutt_sort_threads()

- fix: crash after sending

- Fix crash in tunnel's conn_close

- fix fcc for deep dirs

- imap: fix crash when new mail arrives

- fix colour 'quoted9'

- quieten messages on exit

- fix: crash after failed mbox_check

- browser: default to a file/dir view when attaching a file

- Changed Config :

- Change $write_bcc to default off

- Docs :

- Add a bit more documentation about sending

- Clarify $write_bcc documentation.

- Update documentation for raw size expando

- docbook: set generate.consistent.ids to make generated html reproducible

- Build :

- fix build/tests for 32-bit arches

- tests: fix test that would fail soon

- tests: fix context for failing idna tests

- Update to 20191111: Bug fixes :

- browser: fix directory view

- fix crash in mutt_extract_token()

- force a screen refresh

- fix crash sending message from command line

- notmuch: use nm_default_uri if no mailbox data

- fix forward attachments

- fix: vfprintf undefined behaviour in body_handler

- Fix relative symlink resolution

- fix: trash to non-existent file/dir

- fix re-opening of mbox Mailboxes

- close logging as late as possible

- log unknown mailboxes

- fix crash in command line postpone

- fix memory leaks

- fix icommand parsing

- fix new mail interaction with mail_check_recent

Solution

Update the affected neomutt packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1172906

https://bugzilla.opensuse.org/show_bug.cgi?id=1172935

https://bugzilla.opensuse.org/show_bug.cgi?id=1173197

https://bugzilla.opensuse.org/show_bug.cgi?id=1179035

https://bugzilla.opensuse.org/show_bug.cgi?id=1179113

Plugin Details

Severity: Medium

ID: 143462

File Name: openSUSE-2020-2127.nasl

Version: 1.2

Type: local

Agent: unix

Published: 12/3/2020

Updated: 12/7/2020

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 3.6

CVSS Score Source: CVE-2020-14154

CVSS v2.0

Base Score: 5.8

Temporal Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:neomutt, p-cpe:/a:novell:opensuse:neomutt-debuginfo, p-cpe:/a:novell:opensuse:neomutt-debugsource, p-cpe:/a:novell:opensuse:neomutt-lang, cpe:/o:novell:opensuse:15.1, cpe:/o:novell:opensuse:15.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: undefined

Exploit Ease: No known exploits are available

Patch Publication Date: 11/30/2020

Vulnerability Publication Date: 6/15/2020

Reference Information

CVE: CVE-2020-14093, CVE-2020-14154, CVE-2020-14954, CVE-2020-28896