On Sat, Apr 18, 2026 at 09:27:59PM +0800, Kevin J. McCarthy wrote:
On Sat, Apr 18, 2026 at 02:14:53PM +0200, evilrabbit via Mutt-dev wrote:Please find below a number of confirmed security findings in the mutt client. None of these are significant but should probably be addressed.Thanks, I will start taking a look at these tomorrow.
Just to summarize the state for everyone. Fixes commited to stable:
### 1. NULL Dereference in Signature Verification (MEDIUM) ### 2. Infinite Loop on GPGME Read Error (MEDIUM) ### 5. CRAM-MD5 HMAC Weakening (MEDIUM, Conditional) ### 6. GSSAPI Buffer Underflow (MEDIUM, Conditional) ### 7. URL %00 Truncation (LOW-MEDIUM)
Fixes commmited to master:
### 8. TLS Certificate CN Fallback (LOW-MEDIUM)
Won't fix:
### 3. POP3 Unbounded Memory Growth (MEDIUM)
Still to discuss/think about:
### 4. MIME Boundary Predictability (MEDIUM)
I'll make a stable release in the next week or two.If anyone has comments about #4, I'd appreciate feedback. The email suggested perhaps ChaCha20 instead of LFSR113 PRNG. I don't think the situation is as dire as the "attack" suggests, but if the PRNG really sucks that badly, we shouldn't be using it.
-- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
