Re: CVE status and regression in 1.14.3 release

On Mon, Jun 22, 2020 at 09:07:38AM -0400, Aaron Schrab wrote: At 17:54 -0700 21 Jun 2020, "Kevin J. McCarthy" wrote: For master branch, I'll add a new option, something like $tunnel_is_secure, defaulting "yes". That will turn off STARTTLS for tunneled imap, pop3, and smtp connections (a possi

Re: CVE status and regression in 1.14.3 release

At 17:54 -0700 21 Jun 2020, "Kevin J. McCarthy" wrote: For master branch, I'll add a new option, something like $tunnel_is_secure, defaulting "yes". That will turn off STARTTLS for tunneled imap, pop3, and smtp connections (a possibly breaking change). It will also disable the "IMAP PREAUTH"

Re: CVE status and regression in 1.14.3 release

On 2020-06-21 17:54:56 -0700, Kevin J. McCarthy wrote: > I'm inclined to take the stance that the $tunnel is secure. For stable > branch, I'll include the PREAUTH patch in <20200621151915.gg23...@afu.lan>: > if (!idata->conn->ssf && !Tunnel && option(OPTSSLFORCETLS)) > but make no other changes.

Re: CVE status and regression in 1.14.3 release

On Sun, Jun 21, 2020 at 10:08:44PM +0200, Vincent Lefevre wrote: On 2020-06-21 10:59:05 -0700, Kevin J. McCarthy wrote: Aaron Schrab posted a patch in ticket 250, setting conn->ssf for $tunnel, but I am not clear on what is expected of $tunnel either. Does $tunnel imply Mutt can assume the conn

Re: CVE status and regression in 1.14.3 release

On 2020-06-21 10:59:05 -0700, Kevin J. McCarthy wrote: > On Sun, Jun 21, 2020 at 07:29:58PM +0200, Vincent Lefevre wrote: > > Well, there's still something that isn't clear. When the user uses the > > "imaps" protocol, I assume that the connection needs to be encrypted, > > whatever the value of $s

Re: CVE status and regression in 1.14.3 release

On Sun, Jun 21, 2020 at 07:29:58PM +0200, Vincent Lefevre wrote: Well, there's still something that isn't clear. When the user uses the "imaps" protocol, I assume that the connection needs to be encrypted, whatever the value of $ssl_force_tls (and $ssl_starttls, but STARTTLS must not be used in t

Re: CVE status and regression in 1.14.3 release

On 2020-06-21 08:19:15 -0700, Kevin J. McCarthy wrote: > This has been a bad week and I'm tired. Sorry, I understand your point now. > > I think you are right. I'm protecting against *nothing* by inserting a > $ssl_starttls prompt for "* PREAUTH" because the MITM can just as easily > insert "* O

Re: CVE status and regression in 1.14.3 release

On Sun, Jun 21, 2020 at 06:57:26AM -0700, Kevin J. McCarthy wrote: On Sun, Jun 21, 2020 at 01:37:53PM +0200, Vincent Lefevre wrote: On 2020-06-20 14:49:56 -0700, Kevin J. McCarthy wrote: BTW, I don't think that testing $ssl_starttls here is useful, as I've just said in bug 246 https://gitlab.co

Re: CVE status and regression in 1.14.3 release

On Sun, Jun 21, 2020 at 01:37:53PM +0200, Vincent Lefevre wrote: On 2020-06-20 14:49:56 -0700, Kevin J. McCarthy wrote: I've committed a fix: but won't be able to make a release for 2-3 days. Packagers may wish

Re: CVE status and regression in 1.14.3 release

On 2020-06-20 14:49:56 -0700, Kevin J. McCarthy wrote: > Hello Mutt Users, > > Please pardon the "non-announcement" use of this list. I generally try to > keep the noise to a minimum, but felt this update was needed. > > The 1.14.3 release, fixing a possible IMAP PREAUTH injection attack, had a