#13672 closed enhancement (fixed)
mutt-1.14.3
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | high | Milestone: | 10.0 |
Component: | BOOK | Version: | SVN |
Severity: | normal | Keywords: | |
Cc: |
Description
This is an important security release fixing two issues.
The first is a possible IMAP man-in-the-middle attack. No credentials are exposed, but could result in unintended emails being "saved" to an attacker's server. The $ssl_starttls quadoption is now used to check for an unencrypted PREAUTH response from the server.
Thanks very much to Damian Poddebniak and Fabian Ising from the Münster University of Applied Sciences for reporting this issue, and their help in testing the fix.
The second fix is for a problem with GnuTLS certificate prompting. "Rejecting" an expired intermediate cert did not terminate the connection. Thanks to @henk on IRC for reporting the issue.
Change History (9)
comment:1 by , 5 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:2 by , 5 years ago
comment:3 by , 5 years ago
It gets worse: I get the same error on my server (LFS-9.1) with 1.14.3 but also with 1.14.2. And 1.14.2 was the last thing I installed on the server. :-(
comment:4 by , 5 years ago
/me swears loudly and extendedly.
I'd typed the configure command without prefixing it with 'time ', then somehow managed to put that in the middle of the command.
I don't like Mondays.
comment:5 by , 5 years ago
with my dependencies, manual.txt does NOT get regenerated. it is still installed as empty
Looks as if libxslt and links need to be recommended.
comment:6 by , 5 years ago
In fact, with the reconfiguration libxslt is not used. Either links or w3m or elinks.
Actually, links could replace elinks, the command needs to not-only replace elinks by links, but also drop the '-no-numbering -no-referencing switches which links does not understand. The difference from using lynx is that lynx produces text intended to be used in less with a lot of overtyped characters for bold text, whereas the modified links invocation is plain text without highlighting.
Hmm, the lynx command uses --with-backspaces (the w3m command has no equivalent witches), omitting that produces plain text output. I'll think about how to fix this up so that lynx or links can be used to produce plain text.
manual.txt is no-longer shipped, apparently it is expected to be regenerated during the build.
But configure errors: