CVE-2020-14154

NameCVE-2020-14154
DescriptionMutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mutt (PTS)bullseye (security), bullseye2.0.5-4.1+deb11u3fixed
bookworm2.2.12-0.1~deb12u1fixed
bookworm (security)2.2.9-1+deb12u1fixed
sid, trixie2.2.13-1fixed
neomutt (PTS)bullseye20201127+dfsg.1-1.2fixed
bookworm20220429+dfsg1-4.1fixed
trixie20240425+dfsg-2fixed
sid20241002+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
muttsourcebuster1.10.1-2.1+deb10u1
muttsource(unstable)1.14.3-1unimportant
neomuttsource(unstable)20200619+dfsg.1-1unimportant

Notes

http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html
https://gitlab.com/muttmua/mutt/commit/bb0e6277a45a5d4c3a30d3b968eeb31d78124e95
https://gitlab.com/muttmua/mutt/commit/5fccf603ebcf352ba783136d6b2d2600d811fb3b
https://gitlab.com/muttmua/mutt/commit/f64ec1deefb67d471a642004e102cd1c501a1db3
Negligible security impact

Search for package or bug name: Reporting problems