openSUSE-SU-2020:2158-1

See a problem?

Import Source

https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2020:2158-1.json

JSON Data

https://api.osv.dev/v1/vulns/openSUSE-SU-2020:2158-1

Related

Published

2020-12-04T09:23:31Z

Modified

2020-12-04T09:23:31Z

Summary

Security update for neomutt

Details

This update for neomutt fixes the following issues:

Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.

Security
- imap: close connection on all failures
Features
- alias: add function to Alias/Query dialogs
- config: add validators for {imap,smtp,pop}_authenticators
- config: warn when signature file is missing or not readable
- smtp: support for native SMTP LOGIN auth mech
- notmuch: show originating folder in index
Bug Fixes
- sidebar: prevent the divider colour bleeding out
- sidebar: fix <sidebar-{next,prev}-new>
- notmuch: fix query for current email
- restore shutdown-hook functionality
- crash in reply-to
- user-after-free in folder-hook
- fix some leaks
- fix application of limits to modified mailboxes
- write Date header when postponing
Translations
- 100% Lithuanian
- 100% Czech
- 70% Turkish
Docs
- Document that $sort_alias affects the query menu
Build
- improve ASAN flags
- add SASL and S/MIME to --everything
- fix contrib (un)install
Code
- my_hdr compose screen notifications
- add contracts to the MXAPI
- maildir refactoring
- further reduce the use of global variables
Upstream
- Add $count_alternatives to count attachments inside alternatives
- Changes from 20200925
Features
- Compose: display user-defined headers
- Address Book / Query: live sorting
- Address Book / Query: patterns for searching
- Config: Add '+=' and '-=' operators for String Lists
- Config: Add '+=' operator for Strings
- Allow postfix query ':setenv NAME?' for env vars
Bug Fixes
- Fix crash when searching with invalid regexes
- Compose: Prevent infinite loop of send2-hooks
- Fix sidebar on new/removed mailboxes
- Restore indentation for named mailboxes
- Prevent half-parsing an alias
- Remove folder creation prompt for POP path
- Show error if $message_cachedir doesn't point to a valid directory
- Fix tracking LastDir in case of IMAP paths with Unicode characters
- Make sure all mail gets applied the index limit
- Add warnings to -Q query CLI option
- Fix index tracking functionality
Changed Config
- Add $composeshowuser_headers (yes)
Translations
- 100% Czech
- 100% Lithuanian
- Split up usage strings
Build
- Run shellcheck on hcachever.sh
- Add the Address Sanitizer
- Move compose files to lib under compose/
- Move address config into libaddress
- Update to latest acutest - fixes a memory leak in the unit tests
Code
- Implement ARRAY API
- Deglobalised the Config Sort functions
- Refactor the Sidebar to be Event-Driven
- Refactor the Color Event
- Refactor the Commands list
- Make ctxupdatetables private
- Reduce the scope/deps of some Validator functions
- Use the Email's IMAP UID instead of an increasing number as index
- debug: log window focus
  - Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch. No longer needed.
  - Update to 20200821:
Bug Fixes
- fix maildir flag generation
- fix query notmuch if file is missing
- notmuch: don't abort sync on error
- fix type checking for send config variables
Changed Config
- $sidebar_format - Use %D rather than %B for named mailboxes
Translations
- 96% Lithuanian
- 90% Polish
- fix(sidebar): abbreviate/shorten what user sees
- Fix sidebar mailbox name display problem.
- Update to 20200814:
Notes
- Add one-liner docs to config items See: neomutt -O -Q smart_wrap
- Remove the built-in editor A large unused and unusable feature
Security
- Add mitigation against DoS from thousands of parts boo#1179113
Features
- Allow index-style searching in postpone menu
- Open NeoMutt using a mailbox name
- Add cd command to change the current working directory
- Add tab-completion menu for patterns
- Allow renaming existing mailboxes
- Check for missing attachments in alternative parts
- Add one-liner docs to config items
Bug Fixes
- Fix logic in checking an empty From address
- Fix Imap crash in cmdparseexpunge()
- Fix setting attributes with S-Lang
- Fix: redrawing of $pagerindexlines
- Fix progress percentage for syncing large mboxes
- Fix sidebar drawing in presence of indentation + named mailboxes
- Fix retrieval of drafts when 'postponed' is not in the mailboxes list
- Do not add comments to address group terminators
- Fix alias sorting for degenerate addresses
- Fix attaching emails
- Create directories for nonexistent file hcache case
- Avoid creating mailboxes for failed subscribes
- Fix crash if rejecting cert
Changed Config
- Add $copydecodeweed, $pipedecodeweed, $printdecodeweed
- Change default of $cryptprotectedheaders_subject to '...'
- Add default keybindings to history-up/down
Translations
- 100% Czech
- 100% Spanish
Build
- Allow building against Lua 5.4
- Fix when sqlite3.h is missing
Docs
- Add a brief section on stty to the manual
- Update section 'Terminal Keybindings' in the manual
- Clarify PGP Pseudo-header S<id> duration
Code
- Clean up String API
- Make the Sidebar more independent
- De-centralise the Config Variables
- Refactor dialogs
- Refactor: Help Bar generation
- Make more APIs Context-free
- Adjust the edata use in Maildir and Notmuch
- Window refactoring
- Convert libsend to use Config functions
- Refactor notifications to reduce noise
- Convert Keymaps to use STAILQ
- Track currently selected email by msgid
- Config: no backing global variable
- Add events for key binding
Upstream
- Fix imap postponed mailbox use-after-free error
- Speed up thread sort when many long threads exist
- Fix ~v tagging when switching to non-threaded sorting
- Add message/global to the list of known 'message' types
- Print progress meter when copying/saving tagged messages
- Remove ansi formatting from autoview generated quoted replies
- Change postpone mode to write Date header too
- Unstuff format=flowed
- Update to 20200626:
Bug Fixes
- Avoid opening the same hcache file twice
- Re-open Mailbox after folder-hook
- Fix the matching of the spoolfile Mailbox
- Fix link-thread to link all tagged emails
Changed Config
- Add $tunnelissecure config, defaulting to true
Upstream
- Don't check IMAP PREAUTH encryption if $tunnel is in use
- Add recommendation to use $sslforcetls
- Changes from 20200501:
Security
- Abort GnuTLS certificate check if a cert in the chain is rejected CVE-2020-14154 boo#1172906
- TLS: clear data after a starttls acknowledgement CVE-2020-14954 boo#1173197
- Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093 boo#1172935
Features
- add config operations +=/-= for number,long
- Address book has a comment field
- Query menu has a comment field
Contrib sample.neomuttrc-starter: Do not echo prompted password
Bug Fixes
- make 'news://' and 'nntp://' schemes interchangeable
- Fix CRLF to LF conversion in base64 decoding
- Double comma in query
- compose: fix redraw after history
- Crash inside empty query menu
- mmdf: fix creating new mailbox
- mh: fix creating new mailbox
- mbox: error out when an mbox/mmdf is a pipe
- Fix list-reply by correct parsing of List-Post headers
- Decode references according to RFC2047
- fix tagged message count
- hcache: fix keylen not being considered when building the full key
- sidebar: fix path comparison
- Don't mess with the original pattern when running IMAP searches
- Handle IMAP 'NO' resps by issuing a msg instead of failing badly
- imap: use the connection delimiter if provided
- Memory leaks
Changed Config
- $aliasformat default changed to include %c comment
- $queryformat default changed to include %e extra info
Translations
- 100% Lithuanian
- 84% French
- Log the translation in use
Docs
- Add missing commands unbind, unmacro to man pages
Build
- Check size of long using LONGMAX instead of _WORDSIZE
- Allow ./configure to not record cflags
- fix out-of-tree build
- Avoid locating gdbm symbols in qdbm library
Code
- Refactor unsafe TAILQ returns
- add window notifications
- flip negative ifs
- Update to latest acutest.h
- test: add store tests
- test: add compression tests
- graphviz: email
- make more opcode info available
- refactor: mainchangefolder()
- refactor: muttmailboxnext()
- refactor: generate_body()
- compress: add {min,max}_level to ComprOps
- emphasise empty loops: '// do nothing'
- prex: convert is_from() to use regex
- Refactor IMAP's search routines
- Update to 20200501:
Bug Fixes
- Make sure buffers are initialized on error
- fix(sidebar): use abbreviated path if possible
Translations
- 100% Lithuanian
Docs
- make header cache config more explicit
- Changes from 20200424:
Bug Fixes
- Fix history corruption
- Handle pretty much anything in a URL query part
- Correctly parse escaped characters in header phrases
- Fix crash reading received header
- Fix sidebar indentation
- Avoid crashing on failure to parse an IMAP mailbox
- Maildir: handle deleted emails correctly
- Ensure OP_NULL is always first
Translations
- 100% Czech
Build
- cirrus: enable pcre2, make pkgconf a special case
- Fix finding pcre2 w/o pkgconf
- build: tdb.h needs size_t, bring it in with stddef.h
- Changes from 20200417:
Features
- Fluid layout for Compose Screen, see: vimeo.com/407231157
- Trivial Database (TDB) header cache backend
- RocksDB header cache backend
- Add <sidebar-first> and <sidebar-last> functions
Bug Fixes
- add error for CLI empty emails
- Allow spaces and square brackets in paths
- browser: fix hidden mailboxes
- fix initial email display
- notmuch: fix time window search.
- fix resize bugs
- notmuch: fix entire-thread: update current email pointer
- sidebar: support indenting and shortening of names
- Handle variables inside backticks in sidebar_whitelist
- browser: fix mask regex error reporting
Translations
- 100% Lithuanian
- 99% Chinese (simplified)
Build
- Use regexes for common parsing tasks: urls, dates
- Add configure option --pcre2 -- Enable PCRE2 regular expressions
- Add configure option --tdb -- Use TDB for the header cache
- Add configure option --rocksdb -- Use RocksDB for the header cache
- Create libstore (key/value backends)
- Update to latest autosetup
- Update to latest acutest.h
- Rename doc/ directory to docs/
- make: fix location of .Po dependency files
- Change libcompress to be more universal
- Fix test fails on х32
- fix uidvalidity to unsigned 32-bit int
Code
- Increase test coverage
- Fix memory leaks
- Fix null checks
Upstream
- Buffer refactoring
- Fix use-after-free in muttstrreplace()
- Clarify PGP Pseudo-header S<id> duration
- Try to respect MUTT_QUIET for IMAP contexts too
- Limit recurse depth when parsing mime messages
- Update to 20200320:
Bug Fixes
- Fix COLUMNS env var
- Fix sync after delete
- Fix crash in notmuch
- Fix sidebar indent
- Fix emptying trash
- Fix command line sending
- Fix reading large address lists
- Resolve symlinks only when necessary
Translations
- lithuania 100% Lithuanian
- es 96% Spanish
Docs
- Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output
- Fix case of GPGME and SQLite
Build
- Create libcompress (lz4, zlib, zstd)
- Create libhistory
- Create libbcache
- Move zstrm to libconn
Code
- Add more test coverage
- Rename magic to type
- Use muttfilefopen() on config variables
- Change commands to use intptr_t for data
- Update to 20200313:
Window layout
- Sidebar is only visible when it's usable.
Features
- UI: add number of old messages to sidebar_format
- UI: support ISO 8601 calendar date
- UI: fix commands that don’t need to have a non-empty mailbox to be valid
- PGP: inform about successful decryption of inline PGP messages
- PGP: try to infer the signing key from the From address
- PGP: enable GPGMe by default
- Notmuch: use query as name for vfolder-from-query
- IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)
- Header cache: add support for generic header cache compression
Bug Fixes
- Fix uncollapsejump
- Maildir: maildirmboxcheckstats should only update mailbox stats if requested
- Fix unmailboxes for virtual mailboxes
- Maildir: sanitize filename before hashing
- OAuth: if 'login' name isn't available use 'user'
- Add error message on failed encryption
- Fix a bunch of crashes
- Force C locale for email date
- Abort if run without a terminal
Changed Config
- $cryptusegpgme - Now defaults to 'yes' (enabled)
- $abortbackspace - Hitting backspace against an empty prompt aborts the prompt
- $abortkey - String representation of key to abort prompts
- $arrowstring - Use an custom string for arrowcursor
- $cryptopportunisticencryptstrongkeys - Enable encryption only when strong a key is available
- $headercachecompressdictionary - Filepath to dictionary for zstd compression
- $headercachecompresslevel - Level of compression for method
- $headercachecompressmethod - Enable generic hcache database compression
- $imapdeflate - Compress network traffic
- $smtp_user - Username for the SMTP server
Translations
- 100% Lithuanian
- 81% Spanish
- 78% Russian
Build
- Add libdebug
- Rename public headers to lib.h
- Create libcompress for compressed folders code
Code
- Refactor Windows and Dialogs
- Lots of code tidying
- Refactor: muttaddrlist{search,write}
- Lots of improvements to the Config code
- Use Buffers more pervasively
- Unify API function naming
- Rename library shared headers
- Refactor libconn gui dependencies
- Refactor: init.[ch]
- Refactor config to use subsets
- Config: add path type
- Remove backend deps from the connection code
Upstream
- Allow ~b ~B ~h patterns in send2-hook
- Rename smime oppenc mode parameter to getkeysby_addr()
- Add $cryptopportunisticencryptstrongkeys config var
- Fix crash when polling a closed ssl connection
- Turn off auto-clear outside of autocrypt initialization
- Add protected-headers='v1' to Content-Type when protecting headers
- Fix segv in IMAP postponed menu caused by reopen_allow
- Adding ISO 8601 calendar date
- Fix $fcc_attach to not prompt in batch mode
- Convert remaining muttencodepath() call to use struct Buffer
- Fix rendering of replacementchar when Charsetis_utf8
- Update to latest acutest.h
- Update to 20191207:
Features:
- compose: draw status bar with highlights
Bug Fixes:
- crash opening notmuch mailbox
- crash in muttautocryptuirecommendation
- Setting of DTMAILBOX type variables from Lua
- imap: empty cmdbuf before connecting
- imap: select the mailbox on reconnect
- compose: fix attach message
Build:
- make files conditional
Code:
- enum-ify log levels
- fix function prototypes
- refactor virtual email lookups
- factor out global Context
- Changes from 20191129:
Features:
- Add raw mailsize expando (%cr)
Bug Fixes:
- Avoid double question marks in bounce confirmation msg
- Fix bounce confirmation
- fix new-mail flags and behaviour
- fix: browser <descend-directory>
- fix ssl crash
- fix move to trash
- fix flickering
- Do not check hidden mailboxes for new mail
- Fix newmailcommand notifications
- fix crash in examinemailboxes()
- Fix crash in tunnel's connclose
- fix fcc for deep dirs
- imap: fix crash when new mail arrives
- fix colour 'quoted9'
- quieten messages on exit
- fix: crash after failed mbox_check
- browser: default to a file/dir view when attaching a file
Changed Config:
- Change $write_bcc to default off
Docs:
- Add a bit more documentation about sending
- Clarify $write_bcc documentation.
- Update documentation for raw size expando
- docbook: set generate.consistent.ids to make generated html reproducible
Build:
- fix build/tests for 32-bit arches
- tests: fix test that would fail soon
- tests: fix context for failing idna tests
  - Update to 20191111: Bug fixes:
browser: fix directory view
fix crash in muttextracttoken()
force a screen refresh
fix crash sending message from command line
notmuch: use nmdefaulturi if no mailbox data
fix forward attachments
fix: vfprintf undefined behaviour in body_handler
Fix relative symlink resolution
fix: trash to non-existent file/dir
fix re-opening of mbox Mailboxes
close logging as late as possible
log unknown mailboxes
fix crash in command line postpone
fix memory leaks
fix icommand parsing
fix new mail interaction with mailcheckrecent

This update was imported from the openSUSE:Leap:15.2:Update update project.

References

Affected packages

SUSE:Package Hub 15 SP2 / neomutt

Package

Name: neomutt
Purl: purl:rpm/suse/neomutt&distro=SUSE%20Package%20Hub%2015%20SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20201120-bp152.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "neomutt-doc": "20201120-bp152.2.3.1",
            "neomutt": "20201120-bp152.2.3.1",
            "neomutt-lang": "20201120-bp152.2.3.1"
        }
    ]
}