GNU bug report logs - #32373
neomutt 20180716 security update (fixes CVE-2018-14349 - CVE-2018-14363)

Previous Next

Package: guix-patches;

Reported by: Nils Gillmann <ng0 <at> n0.is>

Date: Mon, 6 Aug 2018 09:29:01 UTC

Severity: normal

Done: Efraim Flashner <efraim <at> flashner.co.il>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32373 in the body.
You can then email your comments to 32373 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#32373; Package guix-patches. (Mon, 06 Aug 2018 09:29:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Nils Gillmann <ng0 <at> n0.is>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 06 Aug 2018 09:29:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Nils Gillmann <ng0 <at> n0.is>
To: guix-patches <at> gnu.org
Subject: neomutt 20180716 security update (fixes CVE-2018-14349 -
 CVE-2018-14363)
Date: Mon, 6 Aug 2018 09:29:10 +0000

[Message part 1 (text/plain, inline)]
Hi,

sorry for being late on this important update, life kept me busy.

From the release notes:

> Notes
> This is a small, but intensive, bug-fix release.
> It fixes some important security holes, so upgrading is strongly recommended.
> Some large architectural changes are coming, so the next release may be some months away.
>
> Security
> CVE-2018-14349 - NO Response Heap Overflow
> CVE-2018-14350 - INTERNALDATE Stack Overflow
> CVE-2018-14351 - STATUS Literal Length relative write
> CVE-2018-14352 - imap_quote_string off-by-one stack overflow
> CVE-2018-14353 - imap_quote_string int underflow
> CVE-2018-14354 - imap_subscribe Remote Code Execution
> CVE-2018-14355 - STATUS mailbox header cache directory traversal
> CVE-2018-14356 - POP empty UID NULL deref
> CVE-2018-14357 - LSUB Remote Code Execution
> CVE-2018-14358 - RFC822.SIZE Stack Overflow
> CVE-2018-14359 - base64 decode Stack Overflow
> CVE-2018-14360 - NNTP Group Stack Overflow
> CVE-2018-14361 - NNTP Write 1 where via GROUP response
> CVE-2018-14362 - POP Message Cache Directory Traversal
> CVE-2018-14363 - NNTP Header Cache Directory Traversal
[0001-gnu-neomutt-Update-to-20180716-fixes-CVE-2018-14349-.patch (text/plain, attachment)]
Reply sent to Efraim Flashner <efraim <at> flashner.co.il>:
You have taken responsibility. (Mon, 06 Aug 2018 10:12:02 GMT) Full text and rfc822 format available.
Notification sent to Nils Gillmann <ng0 <at> n0.is>:
bug acknowledged by developer. (Mon, 06 Aug 2018 10:12:02 GMT) Full text and rfc822 format available.

Message #10 received at 32373-done <at> debbugs.gnu.org (full text, mbox):

From: Efraim Flashner <efraim <at> flashner.co.il>
To: 32373-done <at> debbugs.gnu.org
Subject: Re: [bug#32373] neomutt 20180716 security update (fixes
 CVE-2018-14349 - CVE-2018-14363)
Date: Mon, 6 Aug 2018 13:11:28 +0300

[Message part 1 (text/plain, inline)]
Applied as 46add5615a49c0fbd125296be8a114b04a03412c

-- 
Efraim Flashner   <efraim <at> flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 03 Sep 2018 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 6 years and 285 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.