| Bug ID | 1179035 |
|---|---|
| Summary | VUL-0: CVE-2020-28896: mutt: incomplete connection termination could lead to sending credentials over an unencrypted connections |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.2 |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | werner@suse.com |
| Reporter | Andreas.Stieger@gmx.de |
| QA Contact | qa-bugs@suse.de |
| CC | security-team@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
mutt before 2.0.2 contained an error when during a connection a malicious server provided an illegal initial response, mutt would not close the connection properly. Mutt would subsequently rely on the connection status to decide whether to continue with authentication instead of consulting $ssl_force_tls. This could result in authentication credentials being sent over an unencrypted connection. References: https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a