
Descriptionmutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Source PackageReleaseVersionStatus
mutt (PTS)buster1.10.1-2.1+deb10u6fixed
buster (security)1.10.1-2.1+deb10u7fixed
bullseye (security), bullseye2.0.5-4.1+deb11u3fixed
bookworm (security)2.2.9-1+deb12u1fixed
sid, trixie2.2.12-0.1fixed

- mutt <not-affected> (uses GnuTLS and not OpenSSL)
our mutt is linked against gnutls, bug #553433

