CVE-2020-28896

Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $sslforcetls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.

References

Affected packages

Git / github.com/neomutt/neomutt

Affected ranges

Type: GIT
Repo: https://github.com/neomutt/neomutt
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8a2fc8ca2b7653b213ab9b78a55a7a45bdc2a087

Fixed

9c36717a3e2af1f2c1b7242035455ec8112b4b06

Type: GIT
Repo: https://gitlab.com/muttmua/mutt
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

04b06aaa3e0cc0022b9b01dbca2863756ebbf59a

Fixed

d92689088dfe80a290ec836e292376e2d9984f8f

Affected versions

Other

2019-10-25

20191102

20191111

20191129

20191207

20200313

20200320

20200417

20200424

20200501

20200619

20200626

20200807

20200814

20200821

20200925

mutt-0-92-10i

mutt-0-92-11i

mutt-0-92-9i

mutt-0-93-unstable

mutt-0-94-10i-rel

mutt-0-94-13-rel

mutt-0-94-14-rel

mutt-0-94-15-rel

mutt-0-94-16i-rel

mutt-0-94-17i-rel

mutt-0-94-18-rel

mutt-0-94-5i-rel

mutt-0-94-6i-rel

mutt-0-94-7i-rel

mutt-0-94-8i-rel

mutt-0-94-9i-p1

mutt-0-94-9i-rel

mutt-0-95-rel

mutt-0-96-1-rel

mutt-0-96-2-slightly-post-release

mutt-0-96-3-rel

mutt-0-96-4-rel

mutt-0-96-5-rel

mutt-0-96-6-rel

mutt-0-96-7-rel

mutt-0-96-8-rel

mutt-0-96-rel

mutt-1-1-1-1-rel

mutt-1-1-1-2-rel

mutt-1-1-1-rel

mutt-1-1-10-rel

mutt-1-1-11-rel

mutt-1-1-12-rel

mutt-1-1-13-rel

mutt-1-1-14-rel

mutt-1-1-2-rel

mutt-1-1-3-rel

mutt-1-1-4-rel

mutt-1-1-5-rel

mutt-1-1-6-rel

mutt-1-1-7-rel

mutt-1-1-8-rel

mutt-1-1-9-rel

mutt-1-1-rel

mutt-1-10-1-rel

mutt-1-10-rel

mutt-1-11-1-rel

mutt-1-11-2-rel

mutt-1-11-3-rel

mutt-1-11-4-rel

mutt-1-11-rel

mutt-1-12-1-rel

mutt-1-12-2-rel

mutt-1-12-rel

mutt-1-13-1-rel

mutt-1-13-2-rel

mutt-1-13-3-rel

mutt-1-13-4-rel

mutt-1-13-5-rel

mutt-1-13-rel

mutt-1-14-1-rel

mutt-1-14-2-rel

mutt-1-14-3-rel

mutt-1-14-4-rel

mutt-1-14-5-rel

mutt-1-14-6-rel

mutt-1-14-7-rel

mutt-1-14-rel

mutt-1-3-1-rel

mutt-1-3-10-rel

mutt-1-3-11-rel

mutt-1-3-12-rel

mutt-1-3-13-rel

mutt-1-3-14-rel

mutt-1-3-15-rel

mutt-1-3-16-rel

mutt-1-3-17-rel

mutt-1-3-18-rel

mutt-1-3-19-rel

mutt-1-3-2-rel

mutt-1-3-20-rel

mutt-1-3-21-rel

mutt-1-3-22-1-rel

mutt-1-3-22-rel

mutt-1-3-23-1-rel

mutt-1-3-23-2-rel

mutt-1-3-23-rel

mutt-1-3-24-rel

mutt-1-3-25-rel

mutt-1-3-26-rel

mutt-1-3-27-rel

mutt-1-3-3-rel

mutt-1-3-4-rel

mutt-1-3-5-rel

mutt-1-3-6-rel

mutt-1-3-7-rel

mutt-1-3-8-rel

mutt-1-3-9-rel

mutt-1-3-rel

mutt-1-5-1-rel

mutt-1-5-10-rel

mutt-1-5-11-rel

mutt-1-5-12-rel

mutt-1-5-13-rel

mutt-1-5-14-rel

mutt-1-5-15-rel

mutt-1-5-16-rel

mutt-1-5-17-rel

mutt-1-5-18-rel

mutt-1-5-19-rel

mutt-1-5-2-rel

mutt-1-5-20-rel

mutt-1-5-21-rel

mutt-1-5-22-rel

mutt-1-5-23-rel

mutt-1-5-24-rel

mutt-1-5-3-rel

mutt-1-5-4-rel

mutt-1-5-5-1-rel

mutt-1-5-5-rel

mutt-1-5-6-rel

mutt-1-5-7-rel

mutt-1-5-8-rel

mutt-1-5-9-rel

mutt-1-6-1-rel

mutt-1-6-2-rel

mutt-1-6-rel

mutt-1-7-1-rel

mutt-1-7-2-rel

mutt-1-7-rel

mutt-1-8-1-rel

mutt-1-8-2-rel

mutt-1-8-3-rel

mutt-1-8-rel

mutt-1-9-1-rel

mutt-1-9-2-rel

mutt-1-9-3-rel

mutt-1-9-4-rel

mutt-1-9-5-rel

mutt-1-9-rel

mutt-2-0-1-rel

mutt-2-0-rel

neomutt-20160822

neomutt-20160827

neomutt-20160910

neomutt-20160916

neomutt-20161002

neomutt-20161003

neomutt-20161014

neomutt-20161028

neomutt-20161104

neomutt-20161126

neomutt-20170113

neomutt-20170128

neomutt-20170206

neomutt-20170225

neomutt-20170306

neomutt-20170414

neomutt-20170421

neomutt-20170428

neomutt-20170526

neomutt-20170602

neomutt-20170609

neomutt-20170707

neomutt-20170714

neomutt-20170907

neomutt-20170912

neomutt-20171006

neomutt-20171013

neomutt-20171027

neomutt-20171208

neomutt-20171215

neomutt-20180223

neomutt-20180323

neomutt-20180512

neomutt-20180622

neomutt-20180716

post-type-punning-patch

pre-type-punning-patch

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "97681317069022648633321322422684727806",
                    "36785202708057762196942193442338311117",
                    "253597231540842366146788943724371966919",
                    "230559841208464531920669666737772608998",
                    "280466068186791739870138129894669237743",
                    "262021813882487199219046830141767096521"
                ]
            },
            "target": {
                "file": "imap/imap.c"
            },
            "deprecated": false,
            "source": "https://gitlab.com/muttmua/mutt@04b06aaa3e0cc0022b9b01dbca2863756ebbf59a",
            "signature_version": "v1",
            "id": "CVE-2020-28896-22711cd6",
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1744.0,
                "function_hash": "202502016177147320487911206437497836801"
            },
            "target": {
                "file": "imap/imap.c",
                "function": "imap_open_connection"
            },
            "deprecated": false,
            "source": "https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06",
            "signature_version": "v1",
            "id": "CVE-2020-28896-310f4177",
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "286078888561440764963754111001874170214",
                    "138677912911684076071538171270727982409",
                    "8469493152676353125235616666611982766",
                    "151210996820641048238653260975568679385",
                    "197676711550233223041620179508224361397",
                    "243278584382770291463985835770676195496",
                    "49304822103842324147419956674017035501",
                    "258071259237864162367846400173725670645",
                    "158969505239337468576499793844749391902",
                    "198714526768278661163508272892097614317",
                    "81681430369553413535836371526730707296",
                    "312226577905102150186839279536172437",
                    "94155202352352823451083128446795154982",
                    "198714526768278661163508272892097614317",
                    "81681430369553413535836371526730707296",
                    "339158229765175876716905195750260807423",
                    "291147170475806138760391662777557853853",
                    "226677642943443396717113156868587596264",
                    "307552207789802678498210380374844441654",
                    "105762104976082084892920596628612734565",
                    "214200509669293428569750858998133236569",
                    "56322473773121290834197305658162405616",
                    "89938834577386823368124135839803635555",
                    "56309300704248097572272131029656428187"
                ]
            },
            "target": {
                "file": "imap/imap.c"
            },
            "deprecated": false,
            "source": "https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06",
            "signature_version": "v1",
            "id": "CVE-2020-28896-7565f4be",
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 1763.0,
                "function_hash": "4204636771050573989830569457519837991"
            },
            "target": {
                "file": "imap/imap.c",
                "function": "imap_open_connection"
            },
            "deprecated": false,
            "source": "https://gitlab.com/muttmua/mutt@04b06aaa3e0cc0022b9b01dbca2863756ebbf59a",
            "signature_version": "v1",
            "id": "CVE-2020-28896-9803c123",
            "signature_type": "Function"
        }
    ]
}