CVE-2020-28896 log

Source
Severity High
Remote Yes
Type Silent downgrade
Description
A security issue has been found in Mutt before version 2.0.2 and NeoMutt before version 20201120 that could result in authentication credentials being sent over an unencrypted connection, without $ssl_force_tls being consulted. During connection, if the server provided an illegal initial response, the application "bailed", but did not actually close the connection. The calling code relied on the connection status to decide to continue with authentication, instead of checking the "bail" return value.
Group Package Affected Fixed Severity Status Ticket
AVG-1289 neomutt 20200925-1 20201120-1 High Fixed
AVG-1288 mutt 2.0.1-1 2.0.2-1 High Fixed
Date Advisory Group Package Severity Type
26 Nov 2020 ASA-202011-25 AVG-1288 mutt High silent downgrade
26 Nov 2020 ASA-202011-24 AVG-1289 neomutt High silent downgrade
References
http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20201116/002134.html
https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-November/000929.html
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06