On 2020-06-20 14:49:56 -0700, Kevin J. McCarthy wrote: > Hello Mutt Users, > > Please pardon the "non-announcement" use of this list. I generally try to > keep the noise to a minimum, but felt this update was needed. > > The 1.14.3 release, fixing a possible IMAP PREAUTH injection attack, had a > regression. Those using $tunnel to an IMAP server may now encounter an > error "Encrypted connection unavailable" unless they change $ssl_starttls. > > I've committed a fix: > <https://gitlab.com/muttmua/mutt/-/commit/dc909119b3433a84290f0095c0f43a23b98b3748> > but won't be able to make a release for 2-3 days. Packagers may wish to > apply the patch. Users encountering the problem should set $ssl_starttls to > "ask-yes", "ask-no", or "no" (with caution) for the time being.
Doesn't this need to unset $ssl_force_tls too? BTW, I don't think that testing $ssl_starttls here is useful, as I've just said in bug 246 https://gitlab.com/muttmua/mutt/-/issues/246 Its value alone will not prevent a MITM attack, and this test may annoy users who do not need TLS because the connection is already encapsulated in an encrypted connection. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
