openSUSE-SU-2020:2158-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2020:2158-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2020:2158-1
Related
Published
2020-12-04T09:23:31Z
Modified
2020-12-04T09:23:31Z
Summary
Security update for neomutt
Details

This update for neomutt fixes the following issues:

Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.

  • Security
    • imap: close connection on all failures
  • Features
    • alias: add function to Alias/Query dialogs
    • config: add validators for {imap,smtp,pop}_authenticators
    • config: warn when signature file is missing or not readable
    • smtp: support for native SMTP LOGIN auth mech
    • notmuch: show originating folder in index
  • Bug Fixes
    • sidebar: prevent the divider colour bleeding out
    • sidebar: fix <sidebar-{next,prev}-new>
    • notmuch: fix query for current email
    • restore shutdown-hook functionality
    • crash in reply-to
    • user-after-free in folder-hook
    • fix some leaks
    • fix application of limits to modified mailboxes
    • write Date header when postponing
  • Translations
    • 100% Lithuanian
    • 100% Czech
    • 70% Turkish
  • Docs
    • Document that $sort_alias affects the query menu
  • Build
    • improve ASAN flags
    • add SASL and S/MIME to --everything
    • fix contrib (un)install
  • Code
    • my_hdr compose screen notifications
    • add contracts to the MXAPI
    • maildir refactoring
    • further reduce the use of global variables
  • Upstream
    • Add $count_alternatives to count attachments inside alternatives
    • Changes from 20200925
  • Features
    • Compose: display user-defined headers
    • Address Book / Query: live sorting
    • Address Book / Query: patterns for searching
    • Config: Add '+=' and '-=' operators for String Lists
    • Config: Add '+=' operator for Strings
    • Allow postfix query ':setenv NAME?' for env vars
  • Bug Fixes
    • Fix crash when searching with invalid regexes
    • Compose: Prevent infinite loop of send2-hooks
    • Fix sidebar on new/removed mailboxes
    • Restore indentation for named mailboxes
    • Prevent half-parsing an alias
    • Remove folder creation prompt for POP path
    • Show error if $message_cachedir doesn't point to a valid directory
    • Fix tracking LastDir in case of IMAP paths with Unicode characters
    • Make sure all mail gets applied the index limit
    • Add warnings to -Q query CLI option
    • Fix index tracking functionality
  • Changed Config
    • Add $composeshowuser_headers (yes)
  • Translations
    • 100% Czech
    • 100% Lithuanian
    • Split up usage strings
  • Build
    • Run shellcheck on hcachever.sh
    • Add the Address Sanitizer
    • Move compose files to lib under compose/
    • Move address config into libaddress
    • Update to latest acutest - fixes a memory leak in the unit tests
  • Code

    • Implement ARRAY API
    • Deglobalised the Config Sort functions
    • Refactor the Sidebar to be Event-Driven
    • Refactor the Color Event
    • Refactor the Commands list
    • Make ctxupdatetables private
    • Reduce the scope/deps of some Validator functions
    • Use the Email's IMAP UID instead of an increasing number as index
    • debug: log window focus

      • Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch. No longer needed.

      • Update to 20200821:

  • Bug Fixes
    • fix maildir flag generation
    • fix query notmuch if file is missing
    • notmuch: don't abort sync on error
    • fix type checking for send config variables
  • Changed Config
    • $sidebar_format - Use %D rather than %B for named mailboxes
  • Translations

    • 96% Lithuanian
    • 90% Polish
    • fix(sidebar): abbreviate/shorten what user sees

    • Fix sidebar mailbox name display problem.

    • Update to 20200814:

  • Notes
    • Add one-liner docs to config items See: neomutt -O -Q smart_wrap
    • Remove the built-in editor A large unused and unusable feature
  • Security
    • Add mitigation against DoS from thousands of parts boo#1179113
  • Features
    • Allow index-style searching in postpone menu
    • Open NeoMutt using a mailbox name
    • Add cd command to change the current working directory
    • Add tab-completion menu for patterns
    • Allow renaming existing mailboxes
    • Check for missing attachments in alternative parts
    • Add one-liner docs to config items
  • Bug Fixes
    • Fix logic in checking an empty From address
    • Fix Imap crash in cmdparseexpunge()
    • Fix setting attributes with S-Lang
    • Fix: redrawing of $pagerindexlines
    • Fix progress percentage for syncing large mboxes
    • Fix sidebar drawing in presence of indentation + named mailboxes
    • Fix retrieval of drafts when 'postponed' is not in the mailboxes list
    • Do not add comments to address group terminators
    • Fix alias sorting for degenerate addresses
    • Fix attaching emails
    • Create directories for nonexistent file hcache case
    • Avoid creating mailboxes for failed subscribes
    • Fix crash if rejecting cert
  • Changed Config
    • Add $copydecodeweed, $pipedecodeweed, $printdecodeweed
    • Change default of $cryptprotectedheaders_subject to '...'
    • Add default keybindings to history-up/down
  • Translations
    • 100% Czech
    • 100% Spanish
  • Build
    • Allow building against Lua 5.4
    • Fix when sqlite3.h is missing
  • Docs
    • Add a brief section on stty to the manual
    • Update section 'Terminal Keybindings' in the manual
    • Clarify PGP Pseudo-header S<id> duration
  • Code
    • Clean up String API
    • Make the Sidebar more independent
    • De-centralise the Config Variables
    • Refactor dialogs
    • Refactor: Help Bar generation
    • Make more APIs Context-free
    • Adjust the edata use in Maildir and Notmuch
    • Window refactoring
    • Convert libsend to use Config functions
    • Refactor notifications to reduce noise
    • Convert Keymaps to use STAILQ
    • Track currently selected email by msgid
    • Config: no backing global variable
    • Add events for key binding
  • Upstream

    • Fix imap postponed mailbox use-after-free error
    • Speed up thread sort when many long threads exist
    • Fix ~v tagging when switching to non-threaded sorting
    • Add message/global to the list of known 'message' types
    • Print progress meter when copying/saving tagged messages
    • Remove ansi formatting from autoview generated quoted replies
    • Change postpone mode to write Date header too
    • Unstuff format=flowed

    • Update to 20200626:

  • Bug Fixes
    • Avoid opening the same hcache file twice
    • Re-open Mailbox after folder-hook
    • Fix the matching of the spoolfile Mailbox
    • Fix link-thread to link all tagged emails
  • Changed Config
    • Add $tunnelissecure config, defaulting to true
  • Upstream
    • Don't check IMAP PREAUTH encryption if $tunnel is in use
    • Add recommendation to use $sslforcetls
    • Changes from 20200501:
  • Security
    • Abort GnuTLS certificate check if a cert in the chain is rejected CVE-2020-14154 boo#1172906
    • TLS: clear data after a starttls acknowledgement CVE-2020-14954 boo#1173197
    • Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093 boo#1172935
  • Features
    • add config operations +=/-= for number,long
    • Address book has a comment field
    • Query menu has a comment field
  • Contrib sample.neomuttrc-starter: Do not echo prompted password
  • Bug Fixes
    • make 'news://' and 'nntp://' schemes interchangeable
    • Fix CRLF to LF conversion in base64 decoding
    • Double comma in query
    • compose: fix redraw after history
    • Crash inside empty query menu
    • mmdf: fix creating new mailbox
    • mh: fix creating new mailbox
    • mbox: error out when an mbox/mmdf is a pipe
    • Fix list-reply by correct parsing of List-Post headers
    • Decode references according to RFC2047
    • fix tagged message count
    • hcache: fix keylen not being considered when building the full key
    • sidebar: fix path comparison
    • Don't mess with the original pattern when running IMAP searches
    • Handle IMAP 'NO' resps by issuing a msg instead of failing badly
    • imap: use the connection delimiter if provided
    • Memory leaks
  • Changed Config
    • $aliasformat default changed to include %c comment
    • $queryformat default changed to include %e extra info
  • Translations
    • 100% Lithuanian
    • 84% French
    • Log the translation in use
  • Docs
    • Add missing commands unbind, unmacro to man pages
  • Build
    • Check size of long using LONGMAX instead of _WORDSIZE
    • Allow ./configure to not record cflags
    • fix out-of-tree build
    • Avoid locating gdbm symbols in qdbm library
  • Code

    • Refactor unsafe TAILQ returns
    • add window notifications
    • flip negative ifs
    • Update to latest acutest.h
    • test: add store tests
    • test: add compression tests
    • graphviz: email
    • make more opcode info available
    • refactor: mainchangefolder()
    • refactor: muttmailboxnext()
    • refactor: generate_body()
    • compress: add {min,max}_level to ComprOps
    • emphasise empty loops: '// do nothing'
    • prex: convert is_from() to use regex
    • Refactor IMAP's search routines

    • Update to 20200501:

  • Bug Fixes
    • Make sure buffers are initialized on error
    • fix(sidebar): use abbreviated path if possible
  • Translations
    • 100% Lithuanian
  • Docs
    • make header cache config more explicit
    • Changes from 20200424:
  • Bug Fixes
    • Fix history corruption
    • Handle pretty much anything in a URL query part
    • Correctly parse escaped characters in header phrases
    • Fix crash reading received header
    • Fix sidebar indentation
    • Avoid crashing on failure to parse an IMAP mailbox
    • Maildir: handle deleted emails correctly
    • Ensure OP_NULL is always first
  • Translations
    • 100% Czech
  • Build
    • cirrus: enable pcre2, make pkgconf a special case
    • Fix finding pcre2 w/o pkgconf
    • build: tdb.h needs size_t, bring it in with stddef.h
    • Changes from 20200417:
  • Features
    • Fluid layout for Compose Screen, see: vimeo.com/407231157
    • Trivial Database (TDB) header cache backend
    • RocksDB header cache backend
    • Add <sidebar-first> and <sidebar-last> functions
  • Bug Fixes
    • add error for CLI empty emails
    • Allow spaces and square brackets in paths
    • browser: fix hidden mailboxes
    • fix initial email display
    • notmuch: fix time window search.
    • fix resize bugs
    • notmuch: fix entire-thread: update current email pointer
    • sidebar: support indenting and shortening of names
    • Handle variables inside backticks in sidebar_whitelist
    • browser: fix mask regex error reporting
  • Translations
    • 100% Lithuanian
    • 99% Chinese (simplified)
  • Build
    • Use regexes for common parsing tasks: urls, dates
    • Add configure option --pcre2 -- Enable PCRE2 regular expressions
    • Add configure option --tdb -- Use TDB for the header cache
    • Add configure option --rocksdb -- Use RocksDB for the header cache
    • Create libstore (key/value backends)
    • Update to latest autosetup
    • Update to latest acutest.h
    • Rename doc/ directory to docs/
    • make: fix location of .Po dependency files
    • Change libcompress to be more universal
    • Fix test fails on х32
    • fix uidvalidity to unsigned 32-bit int
  • Code
    • Increase test coverage
    • Fix memory leaks
    • Fix null checks
  • Upstream

    • Buffer refactoring
    • Fix use-after-free in muttstrreplace()
    • Clarify PGP Pseudo-header S<id> duration
    • Try to respect MUTT_QUIET for IMAP contexts too
    • Limit recurse depth when parsing mime messages

    • Update to 20200320:

  • Bug Fixes
    • Fix COLUMNS env var
    • Fix sync after delete
    • Fix crash in notmuch
    • Fix sidebar indent
    • Fix emptying trash
    • Fix command line sending
    • Fix reading large address lists
    • Resolve symlinks only when necessary
  • Translations
    • lithuania 100% Lithuanian
    • es 96% Spanish
  • Docs
    • Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output
    • Fix case of GPGME and SQLite
  • Build
    • Create libcompress (lz4, zlib, zstd)
    • Create libhistory
    • Create libbcache
    • Move zstrm to libconn
  • Code

    • Add more test coverage
    • Rename magic to type
    • Use muttfilefopen() on config variables
    • Change commands to use intptr_t for data

    • Update to 20200313:

  • Window layout
    • Sidebar is only visible when it's usable.
  • Features
    • UI: add number of old messages to sidebar_format
    • UI: support ISO 8601 calendar date
    • UI: fix commands that don’t need to have a non-empty mailbox to be valid
    • PGP: inform about successful decryption of inline PGP messages
    • PGP: try to infer the signing key from the From address
    • PGP: enable GPGMe by default
    • Notmuch: use query as name for vfolder-from-query
    • IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)
    • Header cache: add support for generic header cache compression
  • Bug Fixes
    • Fix uncollapsejump
    • Only try to perform entire-thread on maildir/mh mailboxes
    • Fix crash in pager
    • Avoid logging single new lines at the end of header fields
    • Fix listing mailboxes
    • Do not recurse a non-threaded message
    • Fix initial window order
    • Fix leaks on IMAP error paths
    • Notmuch: compose(attach-message): support notmuch backend
    • Fix IMAP flag comparison code
    • Fix $move for IMAP mailboxes
    • Maildir: maildirmboxcheckstats should only update mailbox stats if requested
    • Fix unmailboxes for virtual mailboxes
    • Maildir: sanitize filename before hashing
    • OAuth: if 'login' name isn't available use 'user'
    • Add error message on failed encryption
    • Fix a bunch of crashes
    • Force C locale for email date
    • Abort if run without a terminal
  • Changed Config
    • $cryptusegpgme - Now defaults to 'yes' (enabled)
    • $abortbackspace - Hitting backspace against an empty prompt aborts the prompt
    • $abortkey - String representation of key to abort prompts
    • $arrowstring - Use an custom string for arrowcursor
    • $cryptopportunisticencryptstrongkeys - Enable encryption only when strong a key is available
    • $headercachecompressdictionary - Filepath to dictionary for zstd compression
    • $headercachecompresslevel - Level of compression for method
    • $headercachecompressmethod - Enable generic hcache database compression
    • $imapdeflate - Compress network traffic
    • $smtp_user - Username for the SMTP server
  • Translations
    • 100% Lithuanian
    • 81% Spanish
    • 78% Russian
  • Build
    • Add libdebug
    • Rename public headers to lib.h
    • Create libcompress for compressed folders code
  • Code
    • Refactor Windows and Dialogs
    • Lots of code tidying
    • Refactor: muttaddrlist{search,write}
    • Lots of improvements to the Config code
    • Use Buffers more pervasively
    • Unify API function naming
    • Rename library shared headers
    • Refactor libconn gui dependencies
    • Refactor: init.[ch]
    • Refactor config to use subsets
    • Config: add path type
    • Remove backend deps from the connection code
  • Upstream

    • Allow ~b ~B ~h patterns in send2-hook
    • Rename smime oppenc mode parameter to getkeysby_addr()
    • Add $cryptopportunisticencryptstrongkeys config var
    • Fix crash when polling a closed ssl connection
    • Turn off auto-clear outside of autocrypt initialization
    • Add protected-headers='v1' to Content-Type when protecting headers
    • Fix segv in IMAP postponed menu caused by reopen_allow
    • Adding ISO 8601 calendar date
    • Fix $fcc_attach to not prompt in batch mode
    • Convert remaining muttencodepath() call to use struct Buffer
    • Fix rendering of replacementchar when Charsetis_utf8
    • Update to latest acutest.h

    • Update to 20191207:

  • Features:
    • compose: draw status bar with highlights
  • Bug Fixes:
    • crash opening notmuch mailbox
    • crash in muttautocryptuirecommendation
    • Avoid negative allocation
    • Mbox new mail
    • Setting of DTMAILBOX type variables from Lua
    • imap: empty cmdbuf before connecting
    • imap: select the mailbox on reconnect
    • compose: fix attach message
  • Build:
    • make files conditional
  • Code:
    • enum-ify log levels
    • fix function prototypes
    • refactor virtual email lookups
    • factor out global Context
    • Changes from 20191129:
  • Features:
    • Add raw mailsize expando (%cr)
  • Bug Fixes:
    • Avoid double question marks in bounce confirmation msg
    • Fix bounce confirmation
    • fix new-mail flags and behaviour
    • fix: browser <descend-directory>
    • fix ssl crash
    • fix move to trash
    • fix flickering
    • Do not check hidden mailboxes for new mail
    • Fix newmailcommand notifications
    • fix crash in examinemailboxes()
    • fix crash in muttsortthreads()
    • fix: crash after sending
    • Fix crash in tunnel's connclose
    • fix fcc for deep dirs
    • imap: fix crash when new mail arrives
    • fix colour 'quoted9'
    • quieten messages on exit
    • fix: crash after failed mbox_check
    • browser: default to a file/dir view when attaching a file
  • Changed Config:
    • Change $write_bcc to default off
  • Docs:
    • Add a bit more documentation about sending
    • Clarify $write_bcc documentation.
    • Update documentation for raw size expando
    • docbook: set generate.consistent.ids to make generated html reproducible
  • Build:

    • fix build/tests for 32-bit arches
    • tests: fix test that would fail soon
    • tests: fix context for failing idna tests

      • Update to 20191111: Bug fixes:
  • browser: fix directory view
  • fix crash in muttextracttoken()
  • force a screen refresh
  • fix crash sending message from command line
  • notmuch: use nmdefaulturi if no mailbox data
  • fix forward attachments
  • fix: vfprintf undefined behaviour in body_handler
  • Fix relative symlink resolution
  • fix: trash to non-existent file/dir
  • fix re-opening of mbox Mailboxes
  • close logging as late as possible
  • log unknown mailboxes
  • fix crash in command line postpone
  • fix memory leaks
  • fix icommand parsing
  • fix new mail interaction with mailcheckrecent

This update was imported from the openSUSE:Leap:15.2:Update update project.

References

Affected packages

SUSE:Package Hub 15 SP2 / neomutt

Package

Name
neomutt
Purl
pkg:rpm/suse/neomutt&distro=SUSE%20Package%20Hub%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20201120-bp152.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "neomutt-doc": "20201120-bp152.2.3.1",
            "neomutt": "20201120-bp152.2.3.1",
            "neomutt-lang": "20201120-bp152.2.3.1"
        }
    ]
}