[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mutt-users
Subject:    mutt 1.14.3 released
From:       "Kevin J. McCarthy" <kevin () 8t8 ! us>
Date:       2020-06-14 22:05:29
Message-ID: 20200614220529.GA21197 () afu ! lan
[Download RAW message or body]


Hello Mutt Users,

I've just released version 1.14.3.  Instructions for downloading are 
available at <http://www.mutt.org/download.html>, or the tarball can be 
directly downloaded from <http://ftp.mutt.org/pub/mutt/>.  Please take 
the time to verify the signature file against my public key.

This is an important security release fixing two issues.

The first is a possible IMAP man-in-the-middle attack.  No credentials 
are exposed, but could result in unintended emails being "saved" to an 
attacker's server.  The $ssl_starttls quadoption is now used to check 
for an unencrypted PREAUTH response from the server.

Thanks very much to Damian Poddebniak and Fabian Ising from the Münster 
University of Applied Sciences for reporting this issue, and their help 
in testing the fix.

The second fix is for a problem with GnuTLS certificate prompting. 
"Rejecting" an expired intermediate cert did not terminate the 
connection.  Thanks to @henk on IRC for reporting the issue.

-Kevin

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]