CVE-2020-14154

NameCVE-2020-14154
DescriptionMutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mutt (PTS)stretch1.7.2-1+deb9u1vulnerable
stretch (security)1.7.2-1+deb9u3vulnerable
buster1.10.1-2.1vulnerable
buster (security)1.10.1-2.1+deb10u2fixed
bullseye, sid1.14.5-1fixed
neomutt (PTS)buster20180716+dfsg.1-1vulnerable
buster (security)20180716+dfsg.1-1+deb10u1vulnerable
bullseye, sid20200626+dfsg.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
muttsource(unstable)1.14.3-1unimportant
muttsourcebuster1.10.1-2.1+deb10u1
neomuttsource(unstable)20200619+dfsg.1-1unimportant

Notes

http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html
https://gitlab.com/muttmua/mutt/commit/bb0e6277a45a5d4c3a30d3b968eeb31d78124e95
https://gitlab.com/muttmua/mutt/commit/5fccf603ebcf352ba783136d6b2d2600d811fb3b
https://gitlab.com/muttmua/mutt/commit/f64ec1deefb67d471a642004e102cd1c501a1db3
Negligible security impact

Search for package or bug name: Reporting problems