CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
76.5%
This update for neomutt fixes the following issues :
Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.
Security
imap: close connection on all failures
Features
alias: add function to Alias/Query dialogs
config: add validators for (imap,smtp,pop)_authenticators
config: warn when signature file is missing or not readable
smtp: support for native SMTP LOGIN auth mech
notmuch: show originating folder in index
Bug Fixes
sidebar: prevent the divider colour bleeding out
sidebar: fix <sidebar-(next,prev)-new>
notmuch: fix query for current email
restore shutdown-hook functionality
crash in reply-to
user-after-free in folder-hook
fix some leaks
fix application of limits to modified mailboxes
write Date header when postponing
Translations
100% Lithuanian
100% Czech
70% Turkish
Docs
Document that $sort_alias affects the query menu
Build
improve ASAN flags
add SASL and S/MIME to --everything
fix contrib (un)install
Code
my_hdr compose screen notifications
add contracts to the MXAPI
maildir refactoring
further reduce the use of global variables
Upstream
Add $count_alternatives to count attachments inside alternatives
Changes from 20200925
Features
Compose: display user-defined headers
Address Book / Query: live sorting
Address Book / Query: patterns for searching
Config: Add ‘+=’ and ‘-=’ operators for String Lists
Config: Add ‘+=’ operator for Strings
Allow postfix query ‘:setenv NAME?’ for env vars
Bug Fixes
Fix crash when searching with invalid regexes
Compose: Prevent infinite loop of send2-hooks
Fix sidebar on new/removed mailboxes
Restore indentation for named mailboxes
Prevent half-parsing an alias
Remove folder creation prompt for POP path
Show error if $message_cachedir doesn’t point to a valid directory
Fix tracking LastDir in case of IMAP paths with Unicode characters
Make sure all mail gets applied the index limit
Add warnings to -Q query CLI option
Fix index tracking functionality
Changed Config
Add $compose_show_user_headers (yes)
Translations
100% Czech
100% Lithuanian
Split up usage strings
Build
Run shellcheck on hcachever.sh
Add the Address Sanitizer
Move compose files to lib under compose/
Move address config into libaddress
Update to latest acutest - fixes a memory leak in the unit tests
Code
Implement ARRAY API
Deglobalised the Config Sort functions
Refactor the Sidebar to be Event-Driven
Refactor the Color Event
Refactor the Commands list
Make ctx_update_tables private
Reduce the scope/deps of some Validator functions
Use the Email’s IMAP UID instead of an increasing number as index
debug: log window focus
Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch.
No longer needed.
Update to 20200821 :
Bug Fixes
fix maildir flag generation
fix query notmuch if file is missing
notmuch: don’t abort sync on error
fix type checking for send config variables
Changed Config
$sidebar_format - Use %D rather than %B for named mailboxes
Translations
96% Lithuanian
90% Polish
fix(sidebar): abbreviate/shorten what user sees
Fix sidebar mailbox name display problem.
Update to 20200814 :
Notes
Add one-liner docs to config items See: neomutt -O -Q smart_wrap
Remove the built-in editor A large unused and unusable feature
Security
Add mitigation against DoS from thousands of parts boo#1179113
Features
Allow index-style searching in postpone menu
Open NeoMutt using a mailbox name
Add cd command to change the current working directory
Add tab-completion menu for patterns
Allow renaming existing mailboxes
Check for missing attachments in alternative parts
Add one-liner docs to config items
Bug Fixes
Fix logic in checking an empty From address
Fix Imap crash in cmd_parse_expunge()
Fix setting attributes with S-Lang
Fix: redrawing of $pager_index_lines
Fix progress percentage for syncing large mboxes
Fix sidebar drawing in presence of indentation + named mailboxes
Fix retrieval of drafts when ‘postponed’ is not in the mailboxes list
Do not add comments to address group terminators
Fix alias sorting for degenerate addresses
Fix attaching emails
Create directories for nonexistent file hcache case
Avoid creating mailboxes for failed subscribes
Fix crash if rejecting cert
Changed Config
Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed
Change default of $crypt_protected_headers_subject to ‘…’
Add default keybindings to history-up/down
Translations
100% Czech
100% Spanish
Build
Allow building against Lua 5.4
Fix when sqlite3.h is missing
Docs
Add a brief section on stty to the manual
Update section ‘Terminal Keybindings’ in the manual
Clarify PGP Pseudo-header S<id> duration
Code
Clean up String API
Make the Sidebar more independent
De-centralise the Config Variables
Refactor dialogs
Refactor: Help Bar generation
Make more APIs Context-free
Adjust the edata use in Maildir and Notmuch
Window refactoring
Convert libsend to use Config functions
Refactor notifications to reduce noise
Convert Keymaps to use STAILQ
Track currently selected email by msgid
Config: no backing global variable
Add events for key binding
Upstream
Fix imap postponed mailbox use-after-free error
Speed up thread sort when many long threads exist
Fix ~v tagging when switching to non-threaded sorting
Add message/global to the list of known ‘message’ types
Print progress meter when copying/saving tagged messages
Remove ansi formatting from autoview generated quoted replies
Change postpone mode to write Date header too
Unstuff format=flowed
Update to 20200626 :
Bug Fixes
Avoid opening the same hcache file twice
Re-open Mailbox after folder-hook
Fix the matching of the spoolfile Mailbox
Fix link-thread to link all tagged emails
Changed Config
Add $tunnel_is_secure config, defaulting to true
Upstream
Don’t check IMAP PREAUTH encryption if $tunnel is in use
Add recommendation to use $ssl_force_tls
Changes from 20200501 :
Security
Abort GnuTLS certificate check if a cert in the chain is rejected CVE-2020-14154 boo#1172906
TLS: clear data after a starttls acknowledgement CVE-2020-14954 boo#1173197
Prevent possible IMAP MITM via PREAUTH response CVE-2020-14093 boo#1172935
Features
add config operations +=/-= for number,long
Address book has a comment field
Query menu has a comment field
Contrib sample.neomuttrc-starter: Do not echo prompted password
Bug Fixes
make ‘news://’ and ‘nntp://’ schemes interchangeable
Fix CRLF to LF conversion in base64 decoding
Double comma in query
compose: fix redraw after history
Crash inside empty query menu
mmdf: fix creating new mailbox
mh: fix creating new mailbox
mbox: error out when an mbox/mmdf is a pipe
Fix list-reply by correct parsing of List-Post headers
Decode references according to RFC2047
fix tagged message count
hcache: fix keylen not being considered when building the full key
sidebar: fix path comparison
Don’t mess with the original pattern when running IMAP searches
Handle IMAP ‘NO’ resps by issuing a msg instead of failing badly
imap: use the connection delimiter if provided
Memory leaks
Changed Config
$alias_format default changed to include %c comment
$query_format default changed to include %e extra info
Translations
100% Lithuanian
84% French
Log the translation in use
Docs
Add missing commands unbind, unmacro to man pages
Build
Check size of long using LONG_MAX instead of __WORDSIZE
Allow ./configure to not record cflags
fix out-of-tree build
Avoid locating gdbm symbols in qdbm library
Code
Refactor unsafe TAILQ returns
add window notifications
flip negative ifs
Update to latest acutest.h
test: add store tests
test: add compression tests
graphviz: email
make more opcode info available
refactor: main_change_folder()
refactor: mutt_mailbox_next()
refactor: generate_body()
compress: add (min,max)_level to ComprOps
emphasise empty loops: ‘// do nothing’
prex: convert is_from() to use regex
Refactor IMAP’s search routines
Update to 20200501 :
Bug Fixes
Make sure buffers are initialized on error
fix(sidebar): use abbreviated path if possible
Translations
100% Lithuanian
Docs
make header cache config more explicit
Changes from 20200424 :
Bug Fixes
Fix history corruption
Handle pretty much anything in a URL query part
Correctly parse escaped characters in header phrases
Fix crash reading received header
Fix sidebar indentation
Avoid crashing on failure to parse an IMAP mailbox
Maildir: handle deleted emails correctly
Ensure OP_NULL is always first
Translations
100% Czech
Build
cirrus: enable pcre2, make pkgconf a special case
Fix finding pcre2 w/o pkgconf
build: tdb.h needs size_t, bring it in with stddef.h
Changes from 20200417 :
Features
Fluid layout for Compose Screen, see:
vimeo.com/407231157
Trivial Database (TDB) header cache backend
RocksDB header cache backend
Add <sidebar-first> and <sidebar-last> functions
Bug Fixes
add error for CLI empty emails
Allow spaces and square brackets in paths
browser: fix hidden mailboxes
fix initial email display
notmuch: fix time window search.
fix resize bugs
notmuch: fix entire-thread: update current email pointer
sidebar: support indenting and shortening of names
Handle variables inside backticks in sidebar_whitelist
browser: fix mask regex error reporting
Translations
100% Lithuanian
99% Chinese (simplified)
Build
Use regexes for common parsing tasks: urls, dates
Add configure option --pcre2 – Enable PCRE2 regular expressions
Add configure option --tdb – Use TDB for the header cache
Add configure option --rocksdb – Use RocksDB for the header cache
Create libstore (key/value backends)
Update to latest autosetup
Update to latest acutest.h
Rename doc/ directory to docs/
make: fix location of .Po dependency files
Change libcompress to be more universal
Fix test fails on х32
fix uidvalidity to unsigned 32-bit int
Code
Increase test coverage
Fix memory leaks
Fix null checks
Upstream
Buffer refactoring
Fix use-after-free in mutt_str_replace()
Clarify PGP Pseudo-header S<id> duration
Try to respect MUTT_QUIET for IMAP contexts too
Limit recurse depth when parsing mime messages
Update to 20200320 :
Bug Fixes
Fix COLUMNS env var
Fix sync after delete
Fix crash in notmuch
Fix sidebar indent
Fix emptying trash
Fix command line sending
Fix reading large address lists
Resolve symlinks only when necessary
Translations
lithuania 100% Lithuanian
es 96% Spanish
Docs
Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output
Fix case of GPGME and SQLite
Build
Create libcompress (lz4, zlib, zstd)
Create libhistory
Create libbcache
Move zstrm to libconn
Code
Add more test coverage
Rename magic to type
Use mutt_file_fopen() on config variables
Change commands to use intptr_t for data
Update to 20200313 :
Window layout
Sidebar is only visible when it’s usable.
Features
UI: add number of old messages to sidebar_format
UI: support ISO 8601 calendar date
UI: fix commands that don’t need to have a non-empty mailbox to be valid
PGP: inform about successful decryption of inline PGP messages
PGP: try to infer the signing key from the From address
PGP: enable GPGMe by default
Notmuch: use query as name for vfolder-from-query
IMAP: add network traffic compression (COMPRESS=DEFLATE, RFC4978)
Header cache: add support for generic header cache compression
Bug Fixes
Fix uncollapse_jump
Only try to perform entire-thread on maildir/mh mailboxes
Fix crash in pager
Avoid logging single new lines at the end of header fields
Fix listing mailboxes
Do not recurse a non-threaded message
Fix initial window order
Fix leaks on IMAP error paths
Notmuch: compose(attach-message): support notmuch backend
Fix IMAP flag comparison code
Fix $move for IMAP mailboxes
Maildir: maildir_mbox_check_stats should only update mailbox stats if requested
Fix unmailboxes for virtual mailboxes
Maildir: sanitize filename before hashing
OAuth: if ‘login’ name isn’t available use ‘user’
Add error message on failed encryption
Fix a bunch of crashes
Force C locale for email date
Abort if run without a terminal
Changed Config
$crypt_use_gpgme - Now defaults to ‘yes’ (enabled)
$abort_backspace - Hitting backspace against an empty prompt aborts the prompt
$abort_key - String representation of key to abort prompts
$arrow_string - Use an custom string for arrow_cursor
$crypt_opportunistic_encrypt_strong_keys - Enable encryption only when strong a key is available
$header_cache_compress_dictionary - Filepath to dictionary for zstd compression
$header_cache_compress_level - Level of compression for method
$header_cache_compress_method - Enable generic hcache database compression
$imap_deflate - Compress network traffic
$smtp_user - Username for the SMTP server
Translations
100% Lithuanian
81% Spanish
78% Russian
Build
Add libdebug
Rename public headers to lib.h
Create libcompress for compressed folders code
Code
Refactor Windows and Dialogs
Lots of code tidying
Refactor: mutt_addrlist_(search,write)
Lots of improvements to the Config code
Use Buffers more pervasively
Unify API function naming
Rename library shared headers
Refactor libconn gui dependencies
Refactor: init.[ch]
Refactor config to use subsets
Config: add path type
Remove backend deps from the connection code
Upstream
Allow ~b ~B ~h patterns in send2-hook
Rename smime oppenc mode parameter to get_keys_by_addr()
Add $crypt_opportunistic_encrypt_strong_keys config var
Fix crash when polling a closed ssl connection
Turn off auto-clear outside of autocrypt initialization
Add protected-headers=‘v1’ to Content-Type when protecting headers
Fix segv in IMAP postponed menu caused by reopen_allow
Adding ISO 8601 calendar date
Fix $fcc_attach to not prompt in batch mode
Convert remaining mutt_encode_path() call to use struct Buffer
Fix rendering of replacement_char when Charset_is_utf8
Update to latest acutest.h
Update to 20191207 :
Features :
compose: draw status bar with highlights
Bug Fixes :
crash opening notmuch mailbox
crash in mutt_autocrypt_ui_recommendation
Avoid negative allocation
Mbox new mail
Setting of DT_MAILBOX type variables from Lua
imap: empty cmdbuf before connecting
imap: select the mailbox on reconnect
compose: fix attach message
Build :
make files conditional
Code :
enum-ify log levels
fix function prototypes
refactor virtual email lookups
factor out global Context
Changes from 20191129 :
Features :
Add raw mailsize expando (%cr)
Bug Fixes :
Avoid double question marks in bounce confirmation msg
Fix bounce confirmation
fix new-mail flags and behaviour
fix: browser <descend-directory>
fix ssl crash
fix move to trash
fix flickering
Do not check hidden mailboxes for new mail
Fix new_mail_command notifications
fix crash in examine_mailboxes()
fix crash in mutt_sort_threads()
fix: crash after sending
Fix crash in tunnel’s conn_close
fix fcc for deep dirs
imap: fix crash when new mail arrives
fix colour ‘quoted9’
quieten messages on exit
fix: crash after failed mbox_check
browser: default to a file/dir view when attaching a file
Changed Config :
Change $write_bcc to default off
Docs :
Add a bit more documentation about sending
Clarify $write_bcc documentation.
Update documentation for raw size expando
docbook: set generate.consistent.ids to make generated html reproducible
Build :
fix build/tests for 32-bit arches
tests: fix test that would fail soon
tests: fix context for failing idna tests
Update to 20191111: Bug fixes :
browser: fix directory view
fix crash in mutt_extract_token()
force a screen refresh
fix crash sending message from command line
notmuch: use nm_default_uri if no mailbox data
fix forward attachments
fix: vfprintf undefined behaviour in body_handler
Fix relative symlink resolution
fix: trash to non-existent file/dir
fix re-opening of mbox Mailboxes
close logging as late as possible
log unknown mailboxes
fix crash in command line postpone
fix memory leaks
fix icommand parsing
fix new mail interaction with mail_check_recent
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2020-2127.
#
# The text description of this plugin is (C) SUSE LLC.
#
include('compat.inc');
if (description)
{
script_id(143462);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/07");
script_cve_id(
"CVE-2020-14093",
"CVE-2020-14154",
"CVE-2020-14954",
"CVE-2020-28896"
);
script_name(english:"openSUSE Security Update : neomutt (openSUSE-2020-2127)");
script_set_attribute(attribute:"synopsis", value:
"The remote openSUSE host is missing a security update.");
script_set_attribute(attribute:"description", value:
"This update for neomutt fixes the following issues :
Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.
- Security
- imap: close connection on all failures
- Features
- alias: add function to Alias/Query dialogs
- config: add validators for
(imap,smtp,pop)_authenticators
- config: warn when signature file is missing or not
readable
- smtp: support for native SMTP LOGIN auth mech
- notmuch: show originating folder in index
- Bug Fixes
- sidebar: prevent the divider colour bleeding out
- sidebar: fix <sidebar-(next,prev)-new>
- notmuch: fix query for current email
- restore shutdown-hook functionality
- crash in reply-to
- user-after-free in folder-hook
- fix some leaks
- fix application of limits to modified mailboxes
- write Date header when postponing
- Translations
- 100% Lithuanian
- 100% Czech
- 70% Turkish
- Docs
- Document that $sort_alias affects the query menu
- Build
- improve ASAN flags
- add SASL and S/MIME to --everything
- fix contrib (un)install
- Code
- my_hdr compose screen notifications
- add contracts to the MXAPI
- maildir refactoring
- further reduce the use of global variables
- Upstream
- Add $count_alternatives to count attachments inside
alternatives
- Changes from 20200925
- Features
- Compose: display user-defined headers
- Address Book / Query: live sorting
- Address Book / Query: patterns for searching
- Config: Add '+=' and '-=' operators for String Lists
- Config: Add '+=' operator for Strings
- Allow postfix query ':setenv NAME?' for env vars
- Bug Fixes
- Fix crash when searching with invalid regexes
- Compose: Prevent infinite loop of send2-hooks
- Fix sidebar on new/removed mailboxes
- Restore indentation for named mailboxes
- Prevent half-parsing an alias
- Remove folder creation prompt for POP path
- Show error if $message_cachedir doesn't point to a valid
directory
- Fix tracking LastDir in case of IMAP paths with Unicode
characters
- Make sure all mail gets applied the index limit
- Add warnings to -Q query CLI option
- Fix index tracking functionality
- Changed Config
- Add $compose_show_user_headers (yes)
- Translations
- 100% Czech
- 100% Lithuanian
- Split up usage strings
- Build
- Run shellcheck on hcachever.sh
- Add the Address Sanitizer
- Move compose files to lib under compose/
- Move address config into libaddress
- Update to latest acutest - fixes a memory leak in the
unit tests
- Code
- Implement ARRAY API
- Deglobalised the Config Sort functions
- Refactor the Sidebar to be Event-Driven
- Refactor the Color Event
- Refactor the Commands list
- Make ctx_update_tables private
- Reduce the scope/deps of some Validator functions
- Use the Email's IMAP UID instead of an increasing number
as index
- debug: log window focus
- Removed
neomutt-sidebar-abbreviate-shorten-what-user-sees.patch.
No longer needed.
- Update to 20200821 :
- Bug Fixes
- fix maildir flag generation
- fix query notmuch if file is missing
- notmuch: don't abort sync on error
- fix type checking for send config variables
- Changed Config
- $sidebar_format - Use %D rather than %B for named
mailboxes
- Translations
- 96% Lithuanian
- 90% Polish
- fix(sidebar): abbreviate/shorten what user sees
- Fix sidebar mailbox name display problem.
- Update to 20200814 :
- Notes
- Add one-liner docs to config items See: neomutt -O -Q
smart_wrap
- Remove the built-in editor A large unused and unusable
feature
- Security
- Add mitigation against DoS from thousands of parts
boo#1179113
- Features
- Allow index-style searching in postpone menu
- Open NeoMutt using a mailbox name
- Add cd command to change the current working directory
- Add tab-completion menu for patterns
- Allow renaming existing mailboxes
- Check for missing attachments in alternative parts
- Add one-liner docs to config items
- Bug Fixes
- Fix logic in checking an empty From address
- Fix Imap crash in cmd_parse_expunge()
- Fix setting attributes with S-Lang
- Fix: redrawing of $pager_index_lines
- Fix progress percentage for syncing large mboxes
- Fix sidebar drawing in presence of indentation + named
mailboxes
- Fix retrieval of drafts when 'postponed' is not in the
mailboxes list
- Do not add comments to address group terminators
- Fix alias sorting for degenerate addresses
- Fix attaching emails
- Create directories for nonexistent file hcache case
- Avoid creating mailboxes for failed subscribes
- Fix crash if rejecting cert
- Changed Config
- Add $copy_decode_weed, $pipe_decode_weed,
$print_decode_weed
- Change default of $crypt_protected_headers_subject to
'...'
- Add default keybindings to history-up/down
- Translations
- 100% Czech
- 100% Spanish
- Build
- Allow building against Lua 5.4
- Fix when sqlite3.h is missing
- Docs
- Add a brief section on stty to the manual
- Update section 'Terminal Keybindings' in the manual
- Clarify PGP Pseudo-header S<id> duration
- Code
- Clean up String API
- Make the Sidebar more independent
- De-centralise the Config Variables
- Refactor dialogs
- Refactor: Help Bar generation
- Make more APIs Context-free
- Adjust the edata use in Maildir and Notmuch
- Window refactoring
- Convert libsend to use Config functions
- Refactor notifications to reduce noise
- Convert Keymaps to use STAILQ
- Track currently selected email by msgid
- Config: no backing global variable
- Add events for key binding
- Upstream
- Fix imap postponed mailbox use-after-free error
- Speed up thread sort when many long threads exist
- Fix ~v tagging when switching to non-threaded sorting
- Add message/global to the list of known 'message' types
- Print progress meter when copying/saving tagged messages
- Remove ansi formatting from autoview generated quoted
replies
- Change postpone mode to write Date header too
- Unstuff format=flowed
- Update to 20200626 :
- Bug Fixes
- Avoid opening the same hcache file twice
- Re-open Mailbox after folder-hook
- Fix the matching of the spoolfile Mailbox
- Fix link-thread to link all tagged emails
- Changed Config
- Add $tunnel_is_secure config, defaulting to true
- Upstream
- Don't check IMAP PREAUTH encryption if $tunnel is in use
- Add recommendation to use $ssl_force_tls
- Changes from 20200501 :
- Security
- Abort GnuTLS certificate check if a cert in the chain is
rejected CVE-2020-14154 boo#1172906
- TLS: clear data after a starttls acknowledgement
CVE-2020-14954 boo#1173197
- Prevent possible IMAP MITM via PREAUTH response
CVE-2020-14093 boo#1172935
- Features
- add config operations +=/-= for number,long
- Address book has a comment field
- Query menu has a comment field
- Contrib sample.neomuttrc-starter: Do not echo prompted
password
- Bug Fixes
- make 'news://' and 'nntp://' schemes interchangeable
- Fix CRLF to LF conversion in base64 decoding
- Double comma in query
- compose: fix redraw after history
- Crash inside empty query menu
- mmdf: fix creating new mailbox
- mh: fix creating new mailbox
- mbox: error out when an mbox/mmdf is a pipe
- Fix list-reply by correct parsing of List-Post headers
- Decode references according to RFC2047
- fix tagged message count
- hcache: fix keylen not being considered when building
the full key
- sidebar: fix path comparison
- Don't mess with the original pattern when running IMAP
searches
- Handle IMAP 'NO' resps by issuing a msg instead of
failing badly
- imap: use the connection delimiter if provided
- Memory leaks
- Changed Config
- $alias_format default changed to include %c comment
- $query_format default changed to include %e extra info
- Translations
- 100% Lithuanian
- 84% French
- Log the translation in use
- Docs
- Add missing commands unbind, unmacro to man pages
- Build
- Check size of long using LONG_MAX instead of __WORDSIZE
- Allow ./configure to not record cflags
- fix out-of-tree build
- Avoid locating gdbm symbols in qdbm library
- Code
- Refactor unsafe TAILQ returns
- add window notifications
- flip negative ifs
- Update to latest acutest.h
- test: add store tests
- test: add compression tests
- graphviz: email
- make more opcode info available
- refactor: main_change_folder()
- refactor: mutt_mailbox_next()
- refactor: generate_body()
- compress: add (min,max)_level to ComprOps
- emphasise empty loops: '// do nothing'
- prex: convert is_from() to use regex
- Refactor IMAP's search routines
- Update to 20200501 :
- Bug Fixes
- Make sure buffers are initialized on error
- fix(sidebar): use abbreviated path if possible
- Translations
- 100% Lithuanian
- Docs
- make header cache config more explicit
- Changes from 20200424 :
- Bug Fixes
- Fix history corruption
- Handle pretty much anything in a URL query part
- Correctly parse escaped characters in header phrases
- Fix crash reading received header
- Fix sidebar indentation
- Avoid crashing on failure to parse an IMAP mailbox
- Maildir: handle deleted emails correctly
- Ensure OP_NULL is always first
- Translations
- 100% Czech
- Build
- cirrus: enable pcre2, make pkgconf a special case
- Fix finding pcre2 w/o pkgconf
- build: tdb.h needs size_t, bring it in with stddef.h
- Changes from 20200417 :
- Features
- Fluid layout for Compose Screen, see:
vimeo.com/407231157
- Trivial Database (TDB) header cache backend
- RocksDB header cache backend
- Add <sidebar-first> and <sidebar-last> functions
- Bug Fixes
- add error for CLI empty emails
- Allow spaces and square brackets in paths
- browser: fix hidden mailboxes
- fix initial email display
- notmuch: fix time window search.
- fix resize bugs
- notmuch: fix entire-thread: update current email pointer
- sidebar: support indenting and shortening of names
- Handle variables inside backticks in sidebar_whitelist
- browser: fix mask regex error reporting
- Translations
- 100% Lithuanian
- 99% Chinese (simplified)
- Build
- Use regexes for common parsing tasks: urls, dates
- Add configure option --pcre2 -- Enable PCRE2 regular
expressions
- Add configure option --tdb -- Use TDB for the header
cache
- Add configure option --rocksdb -- Use RocksDB for the
header cache
- Create libstore (key/value backends)
- Update to latest autosetup
- Update to latest acutest.h
- Rename doc/ directory to docs/
- make: fix location of .Po dependency files
- Change libcompress to be more universal
- Fix test fails on х32
- fix uidvalidity to unsigned 32-bit int
- Code
- Increase test coverage
- Fix memory leaks
- Fix null checks
- Upstream
- Buffer refactoring
- Fix use-after-free in mutt_str_replace()
- Clarify PGP Pseudo-header S<id> duration
- Try to respect MUTT_QUIET for IMAP contexts too
- Limit recurse depth when parsing mime messages
- Update to 20200320 :
- Bug Fixes
- Fix COLUMNS env var
- Fix sync after delete
- Fix crash in notmuch
- Fix sidebar indent
- Fix emptying trash
- Fix command line sending
- Fix reading large address lists
- Resolve symlinks only when necessary
- Translations
- lithuania 100% Lithuanian
- es 96% Spanish
- Docs
- Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v
output
- Fix case of GPGME and SQLite
- Build
- Create libcompress (lz4, zlib, zstd)
- Create libhistory
- Create libbcache
- Move zstrm to libconn
- Code
- Add more test coverage
- Rename magic to type
- Use mutt_file_fopen() on config variables
- Change commands to use intptr_t for data
- Update to 20200313 :
- Window layout
- Sidebar is only visible when it's usable.
- Features
- UI: add number of old messages to sidebar_format
- UI: support ISO 8601 calendar date
- UI: fix commands that don’t need to have a
non-empty mailbox to be valid
- PGP: inform about successful decryption of inline PGP
messages
- PGP: try to infer the signing key from the From address
- PGP: enable GPGMe by default
- Notmuch: use query as name for vfolder-from-query
- IMAP: add network traffic compression (COMPRESS=DEFLATE,
RFC4978)
- Header cache: add support for generic header cache
compression
- Bug Fixes
- Fix uncollapse_jump
- Only try to perform entire-thread on maildir/mh
mailboxes
- Fix crash in pager
- Avoid logging single new lines at the end of header
fields
- Fix listing mailboxes
- Do not recurse a non-threaded message
- Fix initial window order
- Fix leaks on IMAP error paths
- Notmuch: compose(attach-message): support notmuch
backend
- Fix IMAP flag comparison code
- Fix $move for IMAP mailboxes
- Maildir: maildir_mbox_check_stats should only update
mailbox stats if requested
- Fix unmailboxes for virtual mailboxes
- Maildir: sanitize filename before hashing
- OAuth: if 'login' name isn't available use 'user'
- Add error message on failed encryption
- Fix a bunch of crashes
- Force C locale for email date
- Abort if run without a terminal
- Changed Config
- $crypt_use_gpgme - Now defaults to 'yes' (enabled)
- $abort_backspace - Hitting backspace against an empty
prompt aborts the prompt
- $abort_key - String representation of key to abort
prompts
- $arrow_string - Use an custom string for arrow_cursor
- $crypt_opportunistic_encrypt_strong_keys - Enable
encryption only when strong a key is available
- $header_cache_compress_dictionary - Filepath to
dictionary for zstd compression
- $header_cache_compress_level - Level of compression for
method
- $header_cache_compress_method - Enable generic hcache
database compression
- $imap_deflate - Compress network traffic
- $smtp_user - Username for the SMTP server
- Translations
- 100% Lithuanian
- 81% Spanish
- 78% Russian
- Build
- Add libdebug
- Rename public headers to lib.h
- Create libcompress for compressed folders code
- Code
- Refactor Windows and Dialogs
- Lots of code tidying
- Refactor: mutt_addrlist_(search,write)
- Lots of improvements to the Config code
- Use Buffers more pervasively
- Unify API function naming
- Rename library shared headers
- Refactor libconn gui dependencies
- Refactor: init.[ch]
- Refactor config to use subsets
- Config: add path type
- Remove backend deps from the connection code
- Upstream
- Allow ~b ~B ~h patterns in send2-hook
- Rename smime oppenc mode parameter to get_keys_by_addr()
- Add $crypt_opportunistic_encrypt_strong_keys config var
- Fix crash when polling a closed ssl connection
- Turn off auto-clear outside of autocrypt initialization
- Add protected-headers='v1' to Content-Type when
protecting headers
- Fix segv in IMAP postponed menu caused by reopen_allow
- Adding ISO 8601 calendar date
- Fix $fcc_attach to not prompt in batch mode
- Convert remaining mutt_encode_path() call to use struct
Buffer
- Fix rendering of replacement_char when Charset_is_utf8
- Update to latest acutest.h
- Update to 20191207 :
- Features :
- compose: draw status bar with highlights
- Bug Fixes :
- crash opening notmuch mailbox
- crash in mutt_autocrypt_ui_recommendation
- Avoid negative allocation
- Mbox new mail
- Setting of DT_MAILBOX type variables from Lua
- imap: empty cmdbuf before connecting
- imap: select the mailbox on reconnect
- compose: fix attach message
- Build :
- make files conditional
- Code :
- enum-ify log levels
- fix function prototypes
- refactor virtual email lookups
- factor out global Context
- Changes from 20191129 :
- Features :
- Add raw mailsize expando (%cr)
- Bug Fixes :
- Avoid double question marks in bounce confirmation msg
- Fix bounce confirmation
- fix new-mail flags and behaviour
- fix: browser <descend-directory>
- fix ssl crash
- fix move to trash
- fix flickering
- Do not check hidden mailboxes for new mail
- Fix new_mail_command notifications
- fix crash in examine_mailboxes()
- fix crash in mutt_sort_threads()
- fix: crash after sending
- Fix crash in tunnel's conn_close
- fix fcc for deep dirs
- imap: fix crash when new mail arrives
- fix colour 'quoted9'
- quieten messages on exit
- fix: crash after failed mbox_check
- browser: default to a file/dir view when attaching a
file
- Changed Config :
- Change $write_bcc to default off
- Docs :
- Add a bit more documentation about sending
- Clarify $write_bcc documentation.
- Update documentation for raw size expando
- docbook: set generate.consistent.ids to make generated
html reproducible
- Build :
- fix build/tests for 32-bit arches
- tests: fix test that would fail soon
- tests: fix context for failing idna tests
- Update to 20191111: Bug fixes :
- browser: fix directory view
- fix crash in mutt_extract_token()
- force a screen refresh
- fix crash sending message from command line
- notmuch: use nm_default_uri if no mailbox data
- fix forward attachments
- fix: vfprintf undefined behaviour in body_handler
- Fix relative symlink resolution
- fix: trash to non-existent file/dir
- fix re-opening of mbox Mailboxes
- close logging as late as possible
- log unknown mailboxes
- fix crash in command line postpone
- fix memory leaks
- fix icommand parsing
- fix new mail interaction with mail_check_recent");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1172906");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1172935");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1173197");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1179035");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1179113");
script_set_attribute(attribute:"solution", value:
"Update the affected neomutt packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-14154");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-14954");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/06/15");
script_set_attribute(attribute:"patch_publication_date", value:"2020/11/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/12/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:neomutt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:neomutt-debuginfo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:neomutt-debugsource");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:neomutt-lang");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.2");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2020-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.1|SUSE15\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1 / 15.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
flag = 0;
if ( rpm_check(release:"SUSE15.1", reference:"neomutt-20201120-lp151.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"neomutt-debuginfo-20201120-lp151.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"neomutt-debugsource-20201120-lp151.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.1", reference:"neomutt-lang-20201120-lp151.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"neomutt-20201120-lp152.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"neomutt-debuginfo-20201120-lp152.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"neomutt-debugsource-20201120-lp152.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE15.2", reference:"neomutt-lang-20201120-lp152.2.3.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "neomutt / neomutt-debuginfo / neomutt-debugsource / neomutt-lang");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14093
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14154
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14954
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28896
bugzilla.opensuse.org/show_bug.cgi?id=1172906
bugzilla.opensuse.org/show_bug.cgi?id=1172935
bugzilla.opensuse.org/show_bug.cgi?id=1173197
bugzilla.opensuse.org/show_bug.cgi?id=1179035
bugzilla.opensuse.org/show_bug.cgi?id=1179113
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
76.5%