-
mutt (1.7.2-1+deb9u3) stretch-security; urgency=high
* debian/patches:
+ added security/CVE-not-yet-released.patch to fix a possible MITM
response injection attack when using STARTTLS with IMAP, POP3 and SMTP.
-- Antonio Radici <email address hidden> Fri, 19 Jun 2020 06:55:35 +0200
-
mutt (1.7.2-1+deb9u1) stretch-security; urgency=high
* Initial changelog entries for security update (Closes: 904051)
* Patches provided by Roberto C. Sánchez <email address hidden>
+ Fix arbitrary command execution by remote IMAP servers via backquote
characters, related to the mailboxes command associated with a manual
subscription or unsubscription (CVE-2018-14354)
+ Fix arbitrary command execution by remote IMAP servers via backquote
characters, related to the mailboxes command associated with an automatic
subscription (CVE-2018-14357)
+ Fix a stack-based buffer overflow caused by imap_quote_string() not
leaving room for quote characters (CVE-2018-14352)
+ Fix an integer underflow in imap_quote_string() (CVE-2018-14353)
+ Fix mishandling of zero-length UID in pop.c (CVE-2018-14356)
+ Fix unsafe interaction between message-cache pathnames and certain
characters in pop.c (CVE-2018-14362)
+ Fix mishandling of ".." directory traversal in IMAP mailbox name
(CVE-2018-14355)
+ Fix a stack-based buffer overflow for an IMAP FETCH response with a long
INTERNALDATE field (CVE-2018-14350)
+ Fix a stack-based buffer overflow for an IMAP FETCH response with a long
RFC822.SIZE field (CVE-2018-14358)
+ Fix mishandling of an IMAP NO response without a message (CVE-2018-14349)
+ Fix mishandling of long IMAP status mailbox literal count size
(CVE-2018-14351)
+ Fix a buffer overflow via base64 data (CVE-2018-14359)
+ Fix a stack-based buffer overflow because of incorrect sscanf usage
(CVE-2018-14360)
+ Fix a defect where processing continues if memory allocation fails for
NNTP messages (CVE-2018-14361)
* Fix unsafe interaction between message-cache pathnames and certain
characters in newsrc.c (CVE-2018-14363)
-- Antonio Radici <email address hidden> Tue, 07 Aug 2018 09:48:44 +0100
-
mutt (1.7.2-1) unstable; urgency=medium
* New upstream Mutt release.
* New upstream NeoMutt release, 2017-01-13.
* debian/patches:
+ all patches refreshed.
+ upstream/gpgme-set-sender.patch removed because it is already upstream.
-- Antonio Radici <email address hidden> Fri, 20 Jan 2017 21:47:49 +0000
-
mutt (1.7.1-5) unstable; urgency=medium
* debian/patches:
+ add upstream/gpgme-set-sender.patch otherwise the package
does not build due to conflicting declarations.
-- Antonio Radici <email address hidden> Thu, 01 Dec 2016 20:41:44 +0000
-
mutt (1.7.1-3) unstable; urgency=medium
* Team upload.
[ Antonio Radici ]
* debian-specific/828751-pinentry-gpg2-support.patch: moved
--pinentry-loopback within the conditional that checks the existance of
PGPPASSFD.
[ Evgeni Golov ]
* update neomutt patch to 20161104
* do not apply 835421-pop-digest-md5.patch, it's part of neomutt 20161104
* refresh gpg.rc-paths.patch after 828751-pinentry-gpg2-support.patch
[ Christoph Berg ]
* Remove myself from Uploaders. Thanks for the fish!
-- Evgeni Golov <email address hidden> Mon, 07 Nov 2016 19:17:50 +0100
-
mutt (1.7.1-2) unstable; urgency=medium
* Dropped neomutt-devel/837601-do-not-segfault-on-new-mails.patch which
caused an extra empty line to be added to the pager.
-- Antonio Radici <email address hidden> Sun, 16 Oct 2016 20:17:38 +0100
-
mutt (1.7.0-6) unstable; urgency=medium
* New upstream NeoMutt release, 2016-09-16
+ Refreshed some patches to apply cleanly.
* Dropped the following patches as a result of the above release:
+ neomutt-devel/fix-array-bounds-error.patch
+ neomutt-devel/fix-tarname-in-ac-init.patch
+ neomutt-devel/837416-avoid-segfault-when-listing-\
mailboxes-on-startup.patch
+ upstream/833192-preserve-messageid-for-postponed-emails.patch
+ upstream/openssl-1.1-build.patch
+ upstream/837673-fix-gpgme-sign-bindings.patch
* debian/NEWS:
+ added an info about the deprecation of --encrypt-to in hardcoded gnupg
command (Closes: 838352).
+ added a note about $attribution_locale and the removal of $locale,
introduced with the latest Neomutt version (Closes: 414828).
* debian/patches:
+ neomutt-devel/drop-neomutt-syntax.patch: remove neomutt-syntax.vim
otherwise the package does not build.
+ debian-specific/Muttrc.patch: add three more headers to mailto_allow
(Closes: 834765).
-- Antonio Radici <email address hidden> Sat, 24 Sep 2016 23:29:56 +0100
-
mutt (1.7.0-5) unstable; urgency=medium
* debian/patches:
+ neomutt-devel/837601-do-not-segfault-on-new-mails.patch: updated to
prevent crash when exiting from the pager while viewing a composed email
(Closes: 837634).
+ upstream/827189-opportunistic-encryption-crash.patch: do not crash when
doing opportunistic encryption with long addresses (Closes: 827189).
+ upstream/upstream/837673-fix-gpgme-sign-bindings.patch: to use correct
key bindings if the pgp sign message is not translated (Closes: 837673).
-- Antonio Radici <email address hidden> Tue, 13 Sep 2016 14:57:35 +0100
-
mutt (1.7.0-1) unstable; urgency=medium
* New upstream release.
* New upstream NeoMutt release, 2016-08-27.
- neomutt-devel/restore-docfile-installation.patch removed (already
upstream).
* debian/patches:
+ some patches refreshed.
+ debian-specific/document_debian_defaults.patch updated to remove an
incorrect reference to a default variable (Closes: 741166).
+ upstream/611410-no-implicit_autoview-for-text-html.patch restored, it was
incorrectly dropped (Closes: 823971).
+ upstream/835421-pop-digest-md5.patch to incorrectly handle pop DIGEST-MD5
auth (Closes: 835421).
+ upstream/693993-manpage-corrections.patch with some fixes to the manpage
(Closes: 693993).
+ upstream/749483-conststrings.patch fixes a conflicting declaration
(Closes: 749483)
-- Antonio Radici <email address hidden> Sun, 28 Aug 2016 15:10:08 +0100
-
mutt (1.6.2-1) unstable; urgency=medium
* New upstream release.
* New upstream NeoMutt release, 2016-07-23.
- Adds SMIME encrypt to self patch. (Closes: #688970)
* Backport a fix for the sidebar from neomutt git/mutt hg, patch
imap-sidebar-update-bug.patch.
* Update NEWS.Debian and (unfortunately) rewrite history in order to make it
a little more consistent and easier to read for users upgrading from
jessie. (Closes: #832761)
* The sidebar patch has been stabilized with this release, with the option
names also having been stable enough to be included into upstream mutt
(what will become 1.7.0). All the known Debian bugs have been fixed and
changes have been documented in NEWS. (Closes: #499596, #741853, #777127,
#821748, #823142, #823454, #823654, #823655)
* Remove the /etc/Muttrc.d/sidebar.rc conffile which enabled sidebar by
default. Sidebar is now OFF by default, in order to stick with upstream's
defaults and what most mutt users expect. Document this in NEWS.Debian.
* Ship our patched Muttrc instead of the stock, non-generated Muttrc,
a regression from 1.6.1-2. (Closes: #830692, #830695)
* Remove the assumed_charset-compat.patch and inform users of the renamed
option ("file_charset" -> "attach_charset") via NEWS.Debian.
-- Faidon Liambotis <email address hidden> Fri, 29 Jul 2016 16:43:06 +0300
-
mutt (1.6.0-1) unstable; urgency=medium
* New upstream release.
+ adds the -E option to modify the draft file (Closes: #695220, #434235)
+ does not crash while managing attachments (Closes: #677687)
+ allows setting the signing digest for S/MIME (Closes: #741147)
+ properly parses Outlook's S/MIME signatures (Closes: #701013)
[ Antonio Radici ]
* debian/control: moved the MTA from Recommends to Suggests (Closes: #670769)
* debian/extra/mutt.desktop: set NoDisplay to false (Closes: #678596)
[ Matteo F. Vescovi ]
* debian/patches/: patchset updated
- upstream/809802_timeout_hook.patch added (Closes: #809802)
As stated by the upstream maintainer,
the following patches can be safely dropped: (Closes: #816706)
- misc/fix-configure-test-operator.patch
- upstream/531430-imapuser.patch
- upstream/543467-thread-segfault.patch
- upstream/548577-gpgme-1.2.patch
- upstream/553321-ansi-escape-segfault.patch
- upstream/603288-split-fetches.patch
- upstream/611410-no-implicit_autoview-for-text-html.patch
* debian/rules: Glob expansions added to make mutt reproducible.
Thanks to Daniel Shahaf for the patch (Closes: #818419)
* debian/control: S-V bump 3.9.6 -> 3.9.8 (no changes needed)
* debian/control: Vcs-* fields updated for https:// usage
* debian/control: add myself to Uploaders
* debian/mutt.menu: file dropped
[ Evgeni Golov ]
* update sidebar patch to the 20151111 version
* update nntp patch to the 1.6.0 version
* drop patches applied upstream
* refresh patches against 1.6.0
-- Matteo F. Vescovi <email address hidden> Tue, 26 Apr 2016 16:46:49 +0200
-
mutt (1.5.24-1) unstable; urgency=medium
* Team upload.
[ Evgeni Golov ]
* Fix implicit-function-declaration warnings during compile
[ Matteo F. Vescovi ]
* Imported Upstream version 1.5.24 (Closes: #763522)
* debian/patches/: patchset re-worked against v1.5.24
- features-old/patch-1.5.4.vk.pgp_verbose_mime.patch dropped
(applied upstream)
- features/xtitles.patch dropped (different approach by upstream)
- upstream/542817-smimekeys-tmpdir.patch dropped (applied upstream)
- upstream/547980-smime_keys-chaining.patch dropped (applied upstream)
- upstream/624058-gnutls-deprecated.patch dropped (applied upstream)
* debian/control: S-V bump 3.9.5 => 3.9.6 (no changes needed)
* debian/: GnuPG signature verification added
* debian/watch: path to release tarballs updated
-- Christoph Berg <email address hidden> Sun, 20 Sep 2015 17:58:34 +0200
-
mutt (1.5.23-3.1) unstable; urgency=low
* Non-maintainer upload.
* upstream/624058-gnutls-deprecated.patch: Use gnutls_priority_set_direct()
instead of gnutls_protocol_set_priority() together with
gnutls_set_default_priority(). Cherrypick the relevant parts from upstream
HG, without the compatibilty stuff for ancient (< 2.2.0) GnuTLS.
Closes: #624058
-- Andreas Metzler <email address hidden> Sat, 01 Aug 2015 13:54:03 +0200
-
mutt (1.5.23-3) unstable; urgency=medium
* Fixed upstream/771125-CVE-2014-9116-jessie.patch thanks to Salvatore
Bonaccorso; now it correctly fixes the CVE and does not affect other
functionalities of mutt (Closes: 771674)
-- Antonio Radici <email address hidden> Thu, 04 Dec 2014 21:09:07 +0000
