CVE-2020-28896 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Silent downgrade
Description	A security issue has been found in Mutt before version 2.0.2 and NeoMutt before version 20201120 that could result in authentication credentials being sent over an unencrypted connection, without $ssl_force_tls being consulted. During connection, if the server provided an illegal initial response, the application "bailed", but did not actually close the connection. The calling code relied on the connection status to decide to continue with authentication, instead of checking the "bail" return value.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1289	neomutt	20200925-1	20201120-1	High	Fixed
AVG-1288	mutt	2.0.1-1	2.0.2-1	High	Fixed

Date	Advisory	Group	Package	Severity	Type
26 Nov 2020	ASA-202011-25	AVG-1288	mutt	High	silent downgrade
26 Nov 2020	ASA-202011-24	AVG-1289	neomutt	High	silent downgrade

References
http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20201116/002134.html https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-November/000929.html https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06

References

http://lists.mutt.org/pipermail/mutt-users/Week-of-Mon-20201116/002134.html
https://mailman.neomutt.org/pipermail/neomutt-users-neomutt.org/2020-November/000929.html
https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06