Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in NeoMutt
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in NeoMutt
ID: USN-7204-1
Distribution: Ubuntu
Plattformen: Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS
Datum: Do, 16. Januar 2025, 06:28
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14354
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14357
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14361
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14362
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28896
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14353
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14363
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14355
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14352
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49393
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14356
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49394
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14349
https://ubuntu.com/security/notices/USN-7204-1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32055
Applikationen: NeoMutt

Originalnachricht

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1517635352315514217==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------NemRquEsNhCRlXfnhN0iQ8Vc"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------NemRquEsNhCRlXfnhN0iQ8Vc
Content-Type: multipart/mixed;
boundary="------------4iRd72nrRaIHWO0YoZQU5uRP";
protected-headers="v1"
From: John Breton <john.breton@canonical.com>
Reply-To: security@ubuntu.com
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <c034bfa7-69f6-487c-a563-72128acf2fbb@canonical.com>
Subject: [USN-7204-1] NeoMutt vulnerabilities

--------------4iRd72nrRaIHWO0YoZQU5uRP
Content-Type: multipart/mixed;
boundary="------------3d12tET42il0k0g1BFIE2KP7"

--------------3d12tET42il0k0g1BFIE2KP7
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64

==========================================================================
Ubuntu Security Notice USN-7204-1
January 15, 2025

neomutt vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in NeoMutt.

Software Description:
- neomutt: command line mail reader based on Mutt, with added features

Details:

Jeriko One discovered that NeoMutt incorrectly handled certain IMAP
and POP3 responses. An attacker could possibly use this issue to
cause NeoMutt to crash, resulting in a denial of service, or
the execution of arbitrary code. This issue only affected
Ubuntu 18.04 LTS. (CVE-2018-14349, CVE-2018-14350, CVE-2018-14351,
CVE-2018-14352, CVE-2018-14353, CVE-2018-14354, CVE-2018-14355,
CVE-2018-14356, CVE-2018-14357, CVE-2018-14358, CVE-2018-14359,
CVE-2018-14362)

Jeriko One discovered that NeoMutt incorrectly handled certain
NNTP-related operations. An attacker could possibly use this issue
to cause NeoMutt to crash, resulting in denial of service, or
the execution of arbitrary code. This issue only affected
Ubuntu 18.04 LTS. (CVE-2018-14360, CVE-2018-14361, CVE-2018-14363)

It was discovered that NeoMutt incorrectly processed additional data
when communicating with mail servers. An attacker could possibly use
this issue to access senstive information. This issue only affected
Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-14954, CVE-2020-28896)

It was discovered that Neomutt incorrectly handled the IMAP QRSync
setting. An attacker could possibly use this issue to cause NeoMutt
to crash, resulting in denial of service. This issue only affected
Ubuntu 20.04 LTS. (CVE-2021-32055)

Tavis Ormandy discovered that NeoMutt incorrectly parsed uuencoded
text past the length of the string. An attacker could possibly use
this issue to enable the execution of arbitrary code. This issue
only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and
Ubuntu 22.04 LTS. (CVE-2022-1328)

It was discovered that NeoMutt did not properly encrypt email headers.
An attacker could possibly use this issue to receive emails that were
not intended for them and access sensitive information. This
vulnerability was only fixed in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,
and Ubuntu 24.04 LTS. (CVE-2024-49393, CVE-2024-49394)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
neomutt 20231103+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 22.04 LTS
neomutt 20211029+dfsg1-1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 20.04 LTS
neomutt 20191207+dfsg.1-1.1ubuntu0.1~esm1
Available with Ubuntu Pro

Ubuntu 18.04 LTS
neomutt 20171215+dfsg.1-1ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-7204-1
CVE-2018-14349, CVE-2018-14350, CVE-2018-14351, CVE-2018-14352,
CVE-2018-14353, CVE-2018-14354, CVE-2018-14355, CVE-2018-14356,
CVE-2018-14357, CVE-2018-14358, CVE-2018-14359, CVE-2018-14360,
CVE-2018-14361, CVE-2018-14362, CVE-2018-14363, CVE-2020-14954,
CVE-2020-28896, CVE-2021-32055, CVE-2022-1328, CVE-2024-49393,
CVE-2024-49394


--------------3d12tET42il0k0g1BFIE2KP7
Content-Type: application/pgp-keys;
name="OpenPGP_0xF294825506581F28.asc"
Content-Disposition: attachment;
filename="OpenPGP_0xF294825506581F28.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBGdQrXIBEACdQtlt0q4nFuG/w6jmXuMpI5n1p/REUpoDI3Fu+2C1Ze46ieTM
zKl5rh0+/rEBvwGn5Ox1lcu/QnujnNznNQ0g4ZarPRl3kCA2SKeyqe2vj77sfMkj
3NCF9nlvJVR/j3LgWdo8eynohrkPH8nXazSyzyZRWnUSrn7OCKMZ8KLlkixM9Av/
58Z2lbzVxto3ehTEXprUSn+WZTuKLBuIIE4681Y0lDZbmhi6W0kQBn/kvAlND/ue
G9OLijCJFT7HbikxMtKhCK82cXCSw4SeGzdhkHFLa+QdKo9W/iWYyB9jT+zresxj
dfA6I/ZBvBINt7VJKxLgE18XGOiqq5TmlI4iadXv2umMBl8QAKuhA8qLBQDUdZx6
XWKO4w3xqPtzJ0fDX8OHopb0+QBtyUuxFAX+uFX0mpWbxkzjcEUxf16zN5EUwDD2
5c8Q7POoWKQWu1pA6JtBpkoPYTpdbg7lm+YIhonZLWdKduaaUXRjtRrbNRTvMZqq
dMNn1WSQzrT8/81CitcETIof1G/XA/ktwWDIqzPBgofyja/ffbOLf3V6GieqcaJK
oCaowBZeT1cSBw+xrpEIFiVywFFWbv0f5qWW0yOvYI2YVeckkcsJnsF19quAEgck
8zWOgaZJV8JTj0AmuvE1lqBIRBy3OVl/t7FiQ+0wduytN2U9EOvqaxoKlQARAQAB
zShKb2huIEJyZXRvbiA8am9obi5icmV0b25AY2Fub25pbmNhbC5jb20+wsGXBBMB
CgBBFiEEyMDHOTG0YH5UsajI8pSCVQZYHygFAmdQrXICGwMFCQWjmoAFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQ8pSCVQZYHygLpQ/9E+KzsXCYkHVtcHmq
S/Qyul2l3DID1Skl/4cuL33s8sQC+XQZxXCIYeXkDOhiDsx+cPwCB20c4GhMRkCw
kuefTI4vOg50HhcyuKVfm6WvETWMSEYXjM4lnVuRBNkn+XsfmRG9EPk1bIlwjl0L
SNY4zKvYAG9C8MZCyC2+Qz+9HQBR+0kR4Xc8Ei+PVHyuGJfdQN+b5lFghXG6zjKr
x0tMWpbh9pFpd0zIpWWNMtmiJQgb8nbxrY6KEdqzi3Jqc/1H0zN1+EpmIq3JNcKV
Icol4Y7tnqrkMe4Z2vhcYNdm6KyA7RqBJagYfjDKw2ZFyoZGVasbQb9mlFLHEU2p
joDq7wDrI2K4RLNen4XjxOfMVG+W7XQO4CmTLZUyEUVNRy6JLepYz8EHGeaDTAnq
OsIEDYnqYyHpweK1eZqhlJNNv6QquPqBS/jptGApkcgszH7I3pOhRVlZSRX4JRSm
DhulXJEpPv6dGSCOZsMtsLnKRinIt/LHAsgTYLvSJixQKN2Ji3hoQVufoCKI+Qs7
hWu5L3DHxCa7j5ta3kVyrtzXM1kltvd1vAuCGdO0dhI+nZOJ67D4F+BwiTDyWNOC
zM0mnHR63mC3phV6uQp2a5UzNsZFeb8l0RvhMWighQOj7pBgf8t3YNKxFb5j+p6Q
LaY1OCQl3/uho8dB5ySgLLU1hcnCwYMEMAEKAC0WIQTIwMc5MbRgflSxqMjylIJV
BlgfKAUCZ31mgw8dIHR5cG8gaW4gZW1haWwACgkQ8pSCVQZYHygw8w/9EMfmrGvD
oW0WrRc1+0LPKUjGvD/1iCmQ0b3iKJp5rtBEsKIXUKGLMKEi/KvJ1SUNqfGR4Dj9
rmrAYDX2f6roqx/YkqTfqABeYG1kHFHXfgCnxzDbIR6ZZYWKXmYjXgQgYwloJFeg
cot9/9Bims6k+zgZEtH/bxvULWerEuvkHaZiMsdOHzsiC/VdSXsW2RrH8V5cDH3Q
DRsB4YTP/9gdpWprthCWsk2AJUEj/uZNmkuCmRcfxyG4mRUxnFECU0dt1wd+XRmQ
0H8lKrz1hzKJdRh2qjU/4Debf08NDqBzBktaphlPMjXlqPAvIP5NXWAvRFJm27OS
LbYZtb32d2pGtu0ad0HI/B8Dqsv1x0TtUL5ymlnjaqXkajoaE7DWzL6XKsY5KStS
Eyhy/EC3dskBTLr9lPLBTGzkAFkGAjB/+H2saaleIKctrwjOgD0srr9YvDBduPZJ
yE03wEf3ensE6KZmc+HxBFxXz2AIQQKW/lVUC+UPmsb/8FWwmqcwJqczDHdIblEF
d4OPU2u2Go1qK0GQf2RddBj2SxN05ZvqJ0iw3cRAl5phXiLzro1aLYoum+lJrtNH
TQJeFJIyWe+dx/3BcQ42shzh7ap2Ipn9VGNf/EH17kJ97gRejbHN9XnfmM2MzRqs
HFAsaBAd8yZJYDsxR+rnN7/KjDGiWOnROHrNN0pvaG4gQnJldG9uIChjb3JyZWN0
IGVtYWlsKSA8am9obi5icmV0b25AY2Fub25pY2FsLmNvbT7CwZcEEwEKAEEWIQTI
wMc5MbRgflSxqMjylIJVBlgfKAUCZ31l3AIbAwUJBaOagAULCQgHAgIiAgYVCgkI
CwIEFgIDAQIeBwIXgAAKCRDylIJVBlgfKKoVD/97VtPeqs8Qg84l3Ca83FZIa3Hd
GcRCdhGR0dZ3P1xwMnfk3phFyvewSIPYD+bJDlX97z1gxNUnt0GPvpTYyjAL4uVe
Yxb0jY68aUtZ6zBccKXDy+jR/8OxWgU9Ulip+LTumVuq8OD6sWIj44hzuSmdH3eC
kzsqj6f5ay8SG5BR1EPJjJnAysrWlJx5j95kep+an/19+rto0t5ZGAfbmHHNPExj
JbkQnTra88nUiIKRWuwyG3X2kvxL392BYm7S6cxoMADtrkS2ZSogLBBrddIL5Jfb
tyS7R5gng7Uy3MTXlwZL6WYNwFX3bAk01DYV2sOn9hFG0Xh/aGx26PFw2I/YA76x
AdHXcxdb+1JwTu+REOSMuvEb0M0N+anEsrWvV4BcY/UgShgtEE5+3OT6dKl62g8v
1G/jrXNz6cwbqiJoWi0U6gwsS4zgi8pXO8iCKSLMbf8/kfH1Yo0mSGGtTqt9gotU
ULM/snjT3Fb4me/VcVkqOW0viwCMyp6NXdgbAnd+3Lxk9JQgn8Z9FqLIojE7Qjzm
aHHK3syhGjcmLmfTFaEpbqOon5iPPjdYgmz1+FAWxekU1M53yoFed0jZEt132aHT
Vz5IsJNu6aDmDbxGKARBk6+PPSDl/D5ExPUEX2TSo648lCSNP03NVlR5mToPVXxJ
1rJ/JjmcDg1VqAaKLM7BTQRnUz5jARAAvhXhR4FxcGnlv0lmEa+WL+5Sf/ygpFm5
tFHnyXJWQA3nXCJNGkibvCM03iyY8cax6MwLG0faQ9xEqu1vphigyj8kdpAcGkIn
ezZWyy2e4XpWg7R3CJXRO/teGpCjxkrJ462NwQD2qFAbxe5MzgyzsmKoeEigUmod
2QGzT4nGRqdAklZ/byMAVs+eyF7X+7hUERCgHATpMELvgcSQdUV/lgrQX0g/UV+9
1CtLlTZ5RYHOlqJEb/2VBkKqXP821UV+wScwmAWOIXHRuGsqzyIb2ZB1/VLhEFEM
xxsr+nrgjuzOWS2/jXrn9fSHMYlmW3TGmX9+53UNXhtsyT2FFYOc7SzwEwUDqadW
johTv3slOj2vsAIW6NFQY2TjjleZFm3lQPiNDtuWZlmL3Qxz5/TDqTrSb5FHJIEN
81R8OYXzy4QDPJKm553ZKOfGKvhj3DV8BlzRJ83nZ3VcduBlnCMv1SMh8wdf39jI
F33JTUqjhIuZHzs+VEYofORH+Q8witwCctH5tiJL9i5feAL04bKxH7wsnnwSl9kE
eh/okSLWIglZ1JYJov/8hAnlx65DhYuBuX7s6YDaN6bcEBjJcHFQSILzFz1ulaI1
Vp17Nufsb2gOTBX8wK5K1RBP717r48P4GCHzXK8dnWuFnWAPsiJ2K74aPQ3Ei0N7
4pNp1IfxB4cAEQEAAcLBdgQYAQoAIBYhBMjAxzkxtGB+VLGoyPKUglUGWB8oBQJn
Uz5jAhsMAAoJEPKUglUGWB8o5dkP/28eg2EoE/+/svXsQ/apsYClkvuvVUsB6klm
HWz1B8S4kRJzwDmF2CUvttNT8PDXARdXaExxYFWU4DrptJNTwCkxMYGJOBCXAnVb
T9CXFSe2Uz4Gopb55cmWE/xGPWzeBlnt7A3ImJjYI04C2cPXOF8hceGd9mg6hV23
Fj9q2FdAgO82D4k+HRixhkH0Rk/bHc9a0FKKUUbv97gGTmHo6K4idPHeBobZYYYO
0AS/H0t/ea5Ty5+sDu3O2fjecou6L1dgW6oFK68Tep3Vz+sxI3JVTLMcxNh/hxxk
pTvtREFc/6Zo+PFLhuPkbAPJeZvZSG1viHkvxCfPuvySDTvi/htf3TiM9yEWgUkS
iDQAy4upf/a0B+t3BSapndFNsT+8j5UinY7ux8HiGrhO5t7Br3EMmpvgStkB4v57
LkNXiwkc899ZYlC1lFOTbVgHI4uH3GTWxVjGxZoq3Bda3JTDxTpC+PM+jK5cWDbO
/bieXm+zeA8/Go7vSE4kbj4tDEWpXhcnj7uc274xMepQIaPSEP32jPkDUzwD1804
GaJXC/ChkMykYmdEORRH4EfLlS9W+pBuFtktNhWGwdIVaOqVHMDi3jncz1sBsveC
Nwtt7tlhxUEPfMUiH8NznH2aeFll7obgX6/yu0Vg6h+d7HBIwY9WdXyMqm/rWATk
X5TWH5FT
=3DNpqL
-----END PGP PUBLIC KEY BLOCK-----

--------------3d12tET42il0k0g1BFIE2KP7--

--------------4iRd72nrRaIHWO0YoZQU5uRP--

--------------NemRquEsNhCRlXfnhN0iQ8Vc
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature.asc"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEEyMDHOTG0YH5UsajI8pSCVQZYHygFAmeH6hcFAwAAAAAACgkQ8pSCVQZYHygn
yg/+MMFFTAdMAaQS9KQrLn4lcBIeRPRteaehH1vU+imhNgMvvnheTthukljXCjMUMpxkyC+YasiQ
bndbsjSmYOgep34G7fToM9TeF0uy0r+4Hod06EcY9kE/EhsQG+6ah2Z1pND+NB5C9fO+NdS1rEfG
KhJ1nT3lOMbAusAOcQrjpVoZk7S+mdtYWn9ojn16IGoHU3ycA0gJ5CVZPXDtuJQQEfXuTfKIB5iu
A21s/hQbZ9QLP8TaJ3mE45aF9m8oNrpNdx109VokvJsnPMdbiglhMcm9+eAFLXq780wv21Loy51x
b21DalNnpJgnWpgmtxxoLmkmG+SFRyJUrRA4Svj/r2ziH2ljeQlzF28utkOpZSDjr5eTp8mmL+RK
sYiM+EbdbBWJ9y9LO4NqC3AIe+jtTYArSCFDFhbZx6Jex7IULCvgfaq46gkTvJdxCX35JsGNTG+Z
YhWxFDkgy6aMlJTA03Ai6sLAAMToxkK3QbsHiyKr/CtakmKGE08f8WIfyc3R1JuUyAhzV0G1ZPH7
ry29ORG5DWaPk6z6KQJVMzi2ek2K129b8YUMYKlqQPUGpS7ONkyVNFE0CJPQ7jSG65o7mXO+DfwW
e2qsJyBnvUZiFyVXtuFooKMzbOD3AYvpYHDejWen5jgD3rJnwD+d7FbDRwzLDY3e2eNkbqquuGnl
YOU=
=EUj0
-----END PGP SIGNATURE-----

--------------NemRquEsNhCRlXfnhN0iQ8Vc--


--===============1517635352315514217==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

Cg==

--===============1517635352315514217==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung