openSUSE: 2022:10020-1 moderate: neomutt | LinuxSecurity.com

Advisories


   openSUSE Security Update: Security update for neomutt
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10020-1
Rating:             moderate
References:         #1184787 #1185705 
Cross-References:   CVE-2021-32055 CVE-2022-1328
CVSS scores:
                    CVE-2021-32055 (NVD) : 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
                    CVE-2021-32055 (SUSE): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2022-1328 (NVD) : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
                    CVE-2022-1328 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for neomutt fixes the following issues:

   neomutt was updated to 20220429:

   * Bug Fixes
   * Do not crash on an invalid use_threads/sort combination
   * Fix: stuck browser cursor
   * Resolve (move) the cursor after 
   * Index: fix menu size on new mail
   * Don't overlimit LMDB mmap size
   * OpenBSD y/n translation fix
   * Generic: split out OP_EXIT binding
   * Fix parsing of sendmail cmd
   * Fix: crash with menu_move_off=no
   * Newsrc: bugfix; nntp_user and nntp_pass ignored
   * Menu: ensure config changes cause a repaint
   * Mbox: fix sync duplicates
   * Make sure the index redraws all that's needed
   * Translations
   * 100% Chinese (Simplified)
   * 100% Czech
   * 100% German
   * 100% Hungarian
   * 100% Lithuanian
   * 100% Serbian
   * 100% Turkish
   * Docs
   * add missing pattern modifier ~I for external_search_command
   * Code
   * menu: eliminate custom_redraw()
   * modernise mixmaster
   * Kill global and Propagate display attach status through State-

   neomutt was updated to 20220415:

   * Security
   * Fix uudecode buffer overflow (CVE-2022-1328)
   * Features
   * Colours, colours, colours
   * Bug Fixes
   * Pager: fix pager_stop
   * Merge colours with normal
   * Color: disable mono command
   * Fix forwarding text attachments when honor_disposition is set
   * Pager: drop the nntp change-group bindings
   * Use mailbox_check flags coherently, add IMMEDIATE flag
   * Fix: tagging in attachment list
   * Fix: misalignment of mini-index
   * Make sure to update the menu size after a resort
   * Translations
   * 100% Hungarian
   * Build
   * Update acutest
   * Code
   * Unify pipe functions
   * Index: notify if navigation fails
   * Gui: set colour to be merged with normal
   * Fix: leak in tls_check_one_certificate()
   * Upstream
   * Flush iconv() in mutt_convert_string()
   * Fix integer overflow in mutt_convert_string()
   * Fix uudecode cleanup on unexpected eof

   update to 20220408:

   * Compose multipart emails
   * Fix screen mode after attempting decryption
   * imap: increase max size of oauth2 token
   * Fix autocrypt
   * Unify Alias/Query workflow
   * Fix colours
   * Say which file exists when saving attachments
   * Force SMTP authentication if `smtp_user` is set
   * Fix selecting the right email after limiting
   * Make sure we have enough memory for a new email
   * Don't overwrite with zeroes after unlinking the file
   * Fix crash when forwarding attachments
   * Fix help reformatting on window resize
   * Fix poll to use PollFdsCount and not PollFdsLen
   * regex: range check arrays strictly
   * Fix Coverity defects
   * Fix out of bounds write with long log lines
   * Apply `fast_reply` to 'to', 'cc', or 'bcc'
   * Prevent warning on empty emails
   * New default: `set rfc2047_parameters = yes`
   * 100% German
   * 100% Lithuanian
   * 100% Serbian
   * 100% Czech
   * 100% Turkish
   * 72% Hungarian
   * Improve header cache explanation
   * Improve description of some notmuch variables
   * Explain how timezones and `!`s work inside `%{}`, `%[]` and `%()`
   * Document config synonyms and deprecations
   * Create lots of GitHub Actions
   * Drop TravisCI
   * Add automated Fuzzing tests
   * Add automated ASAN tests
   * Create Dockers for building Centos/Fedora
   * Build fixes for Solaris 10
   * New libraries: browser, enter, envelope
   * New configure options: `--fuzzing` `--debug-color` `--debug-queue`
   * Split Index/Pager GUIs/functions
   * Add lots of function dispatchers
   * Eliminate `menu_loop()`
   * Refactor function opcodes
   * Refactor cursor setting
   * Unify Alias/Query functions
   * Refactor Compose/Envelope functions
   * Modernise the Colour handling
   * Refactor the Attachment View
   * Eliminate the global `Context`
   * Upgrade `mutt_get_field()`
   * Refactor the `color quoted` code
   * Fix lots of memory leaks
   * Refactor Index resolve code
   * Refactor PatternList parsing
   * Refactor Mailbox freeing
   * Improve key mapping
   * Factor out charset hooks
   * Expose mutt_file_seek API
   * Improve API of `strto*` wrappers
   * imap QRESYNC fixes
   * Allow an empty To: address prompt
   * Fix argc==0 handling
   * Don't queue IMAP close commands
   * Fix IMAP UTF-7 for code points >= U+10000
   * Don't include inactive messages in msgset generation

   update to 20211029 (boo#1185705, CVE-2021-32055):

   * Notmuch: support separate database and mail roots without .notmuch
   * fix notmuch crash on open failure
   * fix crypto crash handling pgp keys
   * fix ncrypt/pgp file_get_size return check
   * fix restore case-insensitive header sort
   * fix pager redrawing of long lines
   * fix notmuch: check database dir for xapian dir
   * fix notmuch: update index count after 
   * fix protect hash table against empty keys
   * fix prevent real_subj being set but empty
   * fix leak when saving fcc
   * fix leak after 
   * fix leak after trash to hidden mailbox
   * fix leak restoring postponed emails
   * fix new mail notifications
   * fix pattern compilation error for ( !>(~P) )
   * fix menu display on window resize
   * Stop batch mode emails with no argument or recipients
   * Add sanitize call in print mailcap function
   * fix hdr_order to use the longest match
   * fix (un)setenv to not return an error with unset env vars
   * fix Imap sync when closing a mailbox
   * fix segfault on OpenBSD current
   * sidebar: restore sidebar_spoolfile colour
   * fix assert when displaying a file from the browser
   * fix exec command in compose
   * fix check_stats for Notmuch mailboxes
   * Fallback: Open Notmuch database without config
   * fix gui hook commands on startup
   * threads: implement the $use_threads feature
   * https://neomutt.org/feature/use-threads
   * hooks: allow a -noregex param to folder and mbox hooks
   * mailing lists: implement list-(un)subscribe using RFC2369 headers
   * mailcap: implement x-neomutt-nowrap flag
   * pager: add $local_date_header option
   * imap, smtp: add support for authenticating using XOAUTH2
   * Allow  to fail quietly
   * imap: speed up server-side searches
   * pager: improve skip-quoted and skip-headers
   * notmuch: open database with user's configuration
   * notmuch: implement 
   * config: allow += modification of my_ variables
   * notmuch: tolerate file renames behind neomutt's back
   * pager: implement $pager_read_delay
   * notmuch: validate nm_query_window_timebase
   * notmuch: make $nm_record work in non-notmuch mailboxes
   * compose: add $greeting - a welcome message on top of emails
   * notmuch: show additional mail in query windows
   * imap: fix crash on external IMAP events
   * notmuch: handle missing libnotmuch version bumps
   * imap: add sanity check for qresync
   * notmuch: allow windows with 0 duration
   * index: fix index selection on 
   * imap: fix crash when sync'ing labels
   * search: fix searching by Message-Id in 
   * threads: fix double sorting of threads
   * stats: don't check mailbox stats unless told
   * alias: fix crash on empty query
   * pager: honor mid-message config changes
   * mailbox: don't propagate read-only state across reopens
   * hcache: fix caching new labels in the header cache
   * crypto: set invalidity flags for gpgme/smime keys
   * notmuch: fix parsing of multiple type=
   * notmuch: validate $nm_default_url
   * messages: avoid unnecessary opening of messages
   * imap: fix seqset iterator when it ends in a comma
   * build: refuse to build without pcre2 when pcre2 is linked in ncurses


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2022-10020=1



Package List:

   - openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64):

      neomutt-20220429-bp154.2.3.1

   - openSUSE Backports SLE-15-SP4 (noarch):

      neomutt-doc-20220429-bp154.2.3.1
      neomutt-lang-20220429-bp154.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-32055.html
   https://www.suse.com/security/cve/CVE-2022-1328.html
   https://bugzilla.suse.com/1184787
   https://bugzilla.suse.com/1185705

openSUSE: 2022:10020-1 moderate: neomutt

June 21, 2022
An update that fixes two vulnerabilities is now available

Description

This update for neomutt fixes the following issues: neomutt was updated to 20220429: * Bug Fixes * Do not crash on an invalid use_threads/sort combination * Fix: stuck browser cursor * Resolve (move) the cursor after * Index: fix menu size on new mail * Don't overlimit LMDB mmap size * OpenBSD y/n translation fix * Generic: split out OP_EXIT binding * Fix parsing of sendmail cmd * Fix: crash with menu_move_off=no * Newsrc: bugfix; nntp_user and nntp_pass ignored * Menu: ensure config changes cause a repaint * Mbox: fix sync duplicates * Make sure the index redraws all that's needed * Translations * 100% Chinese (Simplified) * 100% Czech * 100% German * 100% Hungarian * 100% Lithuanian * 100% Serbian * 100% Turkish * Docs * add missing pattern modifier ~I for external_search_command * Code * menu: eliminate custom_redraw() * modernise mixmaster * Kill global and Propagate display attach status through State- neomutt was updated to 20220415: * Security * Fix uudecode buffer overflow (CVE-2022-1328) * Features * Colours, colours, colours * Bug Fixes * Pager: fix pager_stop * Merge colours with normal * Color: disable mono command * Fix forwarding text attachments when honor_disposition is set * Pager: drop the nntp change-group bindings * Use mailbox_check flags coherently, add IMMEDIATE flag * Fix: tagging in attachment list * Fix: misalignment of mini-index * Make sure to update the menu size after a resort * Translations * 100% Hungarian * Build * Update acutest * Code * Unify pipe functions * Index: notify if navigation fails * Gui: set colour to be merged with normal * Fix: leak in tls_check_one_certificate() * Upstream * Flush iconv() in mutt_convert_string() * Fix integer overflow in mutt_convert_string() * Fix uudecode cleanup on unexpected eof update to 20220408: * Compose multipart emails * Fix screen mode after attempting decryption * imap: increase max size of oauth2 token * Fix autocrypt * Unify Alias/Query workflow * Fix colours * Say which file exists when saving attachments * Force SMTP authentication if `smtp_user` is set * Fix selecting the right email after limiting * Make sure we have enough memory for a new email * Don't overwrite with zeroes after unlinking the file * Fix crash when forwarding attachments * Fix help reformatting on window resize * Fix poll to use PollFdsCount and not PollFdsLen * regex: range check arrays strictly * Fix Coverity defects * Fix out of bounds write with long log lines * Apply `fast_reply` to 'to', 'cc', or 'bcc' * Prevent warning on empty emails * New default: `set rfc2047_parameters = yes` * 100% German * 100% Lithuanian * 100% Serbian * 100% Czech * 100% Turkish * 72% Hungarian * Improve header cache explanation * Improve description of some notmuch variables * Explain how timezones and `!`s work inside `%{}`, `%[]` and `%()` * Document config synonyms and deprecations * Create lots of GitHub Actions * Drop TravisCI * Add automated Fuzzing tests * Add automated ASAN tests * Create Dockers for building Centos/Fedora * Build fixes for Solaris 10 * New libraries: browser, enter, envelope * New configure options: `--fuzzing` `--debug-color` `--debug-queue` * Split Index/Pager GUIs/functions * Add lots of function dispatchers * Eliminate `menu_loop()` * Refactor function opcodes * Refactor cursor setting * Unify Alias/Query functions * Refactor Compose/Envelope functions * Modernise the Colour handling * Refactor the Attachment View * Eliminate the global `Context` * Upgrade `mutt_get_field()` * Refactor the `color quoted` code * Fix lots of memory leaks * Refactor Index resolve code * Refactor PatternList parsing * Refactor Mailbox freeing * Improve key mapping * Factor out charset hooks * Expose mutt_file_seek API * Improve API of `strto*` wrappers * imap QRESYNC fixes * Allow an empty To: address prompt * Fix argc==0 handling * Don't queue IMAP close commands * Fix IMAP UTF-7 for code points >= U+10000 * Don't include inactive messages in msgset generation update to 20211029 (boo#1185705, CVE-2021-32055): * Notmuch: support separate database and mail roots without .notmuch * fix notmuch crash on open failure * fix crypto crash handling pgp keys * fix ncrypt/pgp file_get_size return check * fix restore case-insensitive header sort * fix pager redrawing of long lines * fix notmuch: check database dir for xapian dir * fix notmuch: update index count after * fix protect hash table against empty keys * fix prevent real_subj being set but empty * fix leak when saving fcc * fix leak after * fix leak after trash to hidden mailbox * fix leak restoring postponed emails * fix new mail notifications * fix pattern compilation error for ( !>(~P) ) * fix menu display on window resize * Stop batch mode emails with no argument or recipients * Add sanitize call in print mailcap function * fix hdr_order to use the longest match * fix (un)setenv to not return an error with unset env vars * fix Imap sync when closing a mailbox * fix segfault on OpenBSD current * sidebar: restore sidebar_spoolfile colour * fix assert when displaying a file from the browser * fix exec command in compose * fix check_stats for Notmuch mailboxes * Fallback: Open Notmuch database without config * fix gui hook commands on startup * threads: implement the $use_threads feature * https://neomutt.org/feature/use-threads * hooks: allow a -noregex param to folder and mbox hooks * mailing lists: implement list-(un)subscribe using RFC2369 headers * mailcap: implement x-neomutt-nowrap flag * pager: add $local_date_header option * imap, smtp: add support for authenticating using XOAUTH2 * Allow to fail quietly * imap: speed up server-side searches * pager: improve skip-quoted and skip-headers * notmuch: open database with user's configuration * notmuch: implement * config: allow += modification of my_ variables * notmuch: tolerate file renames behind neomutt's back * pager: implement $pager_read_delay * notmuch: validate nm_query_window_timebase * notmuch: make $nm_record work in non-notmuch mailboxes * compose: add $greeting - a welcome message on top of emails * notmuch: show additional mail in query windows * imap: fix crash on external IMAP events * notmuch: handle missing libnotmuch version bumps * imap: add sanity check for qresync * notmuch: allow windows with 0 duration * index: fix index selection on * imap: fix crash when sync'ing labels * search: fix searching by Message-Id in * threads: fix double sorting of threads * stats: don't check mailbox stats unless told * alias: fix crash on empty query * pager: honor mid-message config changes * mailbox: don't propagate read-only state across reopens * hcache: fix caching new labels in the header cache * crypto: set invalidity flags for gpgme/smime keys * notmuch: fix parsing of multiple type= * notmuch: validate $nm_default_url * messages: avoid unnecessary opening of messages * imap: fix seqset iterator when it ends in a comma * build: refuse to build without pcre2 when pcre2 is linked in ncurses

Patch

To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10020=1

Package List

- openSUSE Backports SLE-15-SP4 (aarch64 ppc64le s390x x86_64): neomutt-20220429-bp154.2.3.1 - openSUSE Backports SLE-15-SP4 (noarch): neomutt-doc-20220429-bp154.2.3.1 neomutt-lang-20220429-bp154.2.3.1

References

https://www.suse.com/security/cve/CVE-2021-32055.html https://www.suse.com/security/cve/CVE-2022-1328.html https://bugzilla.suse.com/1184787 https://bugzilla.suse.com/1185705

Severity
Announcement ID: openSUSE-SU-2022:10020-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP4 .

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.