Subject: [ASA-202011-24] neomutt: silent downgrade Arch Linux Security Advisory ASA-202011-24 ========================================== Severity: High Date : 2020-11-26 CVE-ID : CVE-2020-28896 Package : neomutt Type : silent downgrade Remote : Yes Link : https://security.archlinux.org/AVG-1289 Summary ======= The package neomutt before version 20201120-1 is vulnerable to silent downgrade. Resolution ========== Upgrade to 20201120-1. # pacman -Syu "neomutt>=20201120-1" The problem has been fixed upstream in version 20201120. Workaround ========== None. Description =========== A security issue has been found in Mutt before version 2.0.2 and NeoMutt before version 20201120 that could result in authentication credentials being sent over an unencrypted connection, without $ssl_force_tls being consulted. During connection, if the server provided an illegal initial response, the application "bailed", but did not actually close the connection. The calling code relied on the connection status to decide to continue with authentication, instead of checking the "bail" return value. Impact ====== An attacker in position of man-in-the-middle might be able to intercept and alter messages between the e-mail client and the server. References ========== http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20201116/002134.html https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-November/000929.html https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06 https://security.archlinux.org/CVE-2020-28896