Hello Mutt Users,Please pardon the "non-announcement" use of this list. I generally try to keep the noise to a minimum, but felt this update was needed.
The 1.14.3 release, fixing a possible IMAP PREAUTH injection attack, had a regression. Those using $tunnel to an IMAP server may now encounter an error "Encrypted connection unavailable" unless they change $ssl_starttls.
I've committed a fix: <https://gitlab.com/muttmua/mutt/-/commit/dc909119b3433a84290f0095c0f43a23b98b3748> but won't be able to make a release for 2-3 days. Packagers may wish to apply the patch. Users encountering the problem should set $ssl_starttls to "ask-yes", "ask-no", or "no" (with caution) for the time being.
In the release for 1.14.4, I promised a CVE number, but I have had no success so far, despite waiting a day and submitting again. I may just be doing something wrong, so if any packager with more experience creating CVEs would like to do so for that release, I would greatly appreciate it. (Perhaps also sending an email to mutt-dev, to avoid multiple submissions).
Thank you, -Kevin
signature.asc
Description: PGP signature
