http://bugzilla.opensuse.org/show_bug.cgi?id=1179035 Bug ID: 1179035 Summary: VUL-0: CVE-2020-28896: mutt: incomplete connection termination could lead to sending credentials over an unencrypted connections Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: werner@suse.com Reporter: Andreas.Stieger@gmx.de QA Contact: qa-bugs@suse.de CC: security-team@suse.de Found By: Security Response Team Blocker: --- mutt before 2.0.2 contained an error when during a connection a malicious server provided an illegal initial response, mutt would not close the connection properly. Mutt would subsequently rely on the connection status to decide whether to continue with authentication instead of consulting $ssl_force_tls. This could result in authentication credentials being sent over an unencrypted connection. References: https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756eb... -- You are receiving this mail because: You are on the CC list for the bug.