==========================================================================
Ubuntu Security Notice USN-4403-1
June 24, 2020

mutt vulnerability and regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 20.04 LTS
– Ubuntu 19.10
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
– Ubuntu 12.04 ESM

Summary:

Mutt could be made to enable MITM attacks if it received a specially crafted
request.

Software Description:
– mutt: text-based mailreader supporting MIME, GPG, PGP and threading

Details:

It was discovered that Mutt incorrectly handled certain requests.
An attacker could possibly use this issue to enable MITM attacks.
(CVE-2020-14954)

This update also address a regression caused in the last update USN-4401-1.
It only affected Ubuntu 12.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS:
mutt 1.13.2-1ubuntu0.2

Ubuntu 19.10:
mutt 1.10.1-2.1ubuntu0.2

Ubuntu 18.04 LTS:
mutt 1.9.4-3ubuntu0.3

Ubuntu 16.04 LTS:
mutt 1.5.24-1ubuntu0.4

Ubuntu 12.04 ESM:
mutt 1.5.21-5ubuntu2.5

After a standard system update you need to restart mutt to make
all the necessary changes.

References:
https://usn.ubuntu.com/4403-1
CVE-2020-14954, https://launchpad.net/bugs/1884588

Package Information:
https://launchpad.net/ubuntu/+source/mutt/1.13.2-1ubuntu0.2
https://launchpad.net/ubuntu/+source/mutt/1.10.1-2.1ubuntu0.2
https://launchpad.net/ubuntu/+source/mutt/1.9.4-3ubuntu0.3
https://launchpad.net/ubuntu/+source/mutt/1.5.24-1ubuntu0.4
—–BEGIN PGP SIGNATURE—–

iQIzBAABCgAdFiEEf+ebRFcoyOoAQoOeRbznW4QLH2kFAl7zmikACgkQRbznW4QL
H2njfxAAjTRxqpH/sX3V1QxLEZu7px3j9R88afBIm9u7RBGKiVSKcOT6tjs08Bl3
UhpOkXyV7lQWQMaQllsDegDOrCFiOhd/J51fRB0cOFumndDGHu2b8B6YZNspFwz9
CZGCxKE+frT6BEsrIjzBg7Gk0GlkBbeUO9XC/X3QyRuzaGTKmRRw9qjPaQ8vvuog
adjzJDT1NFNVGdaQ1c1egC7D4W9jZ4HCNArQybpykDSMExdvYNRVNMRO7BB74dpF
nEM/e+wpadKZyAMMqRE9byyO7eMtYAvGN3xLW904H7yjQCgzcPd4Fmm+TgGXBRZl
Rt52AYHXeg7sBi3i/6fLN9x3BvoQaf8WGJyIywBawsZJHTJTiIp/5HAzc3Tt/f8k
yFafKFnSiH77Hbl46Q/Z7fKNPIawBVLclG5iTL3qivGHUT80guFIN2PA+GB/xLIr
4ZufyygkuLW0td70KXmwMs6w3S4Rd3QWkgHQwRljeYjpTQA+0P0aUw/zCXgwF0xp
vSCCFzCCOmJe62vWPJEpXuxnPYIr3629Il/5Guv1RFZaiqHDDE0Q+c7gwxF4h1Iw
9/KtLhqV6tFY8lOONXdchyN2BKEZBemaOPr1e84oIxbRQ7+Dw40uzIhC9Wc+/37B
26AkquVW/eBe6fxZq8JoqRNDkfjoGUZbjaiuJ5+XEtv2l21jMVY=
=f6E5
—–END PGP SIGNATURE—–
—