-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 07 Aug 2018 09:48:44 +0100 Source: mutt Binary: mutt Architecture: source Version: 1.7.2-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Mutt maintainers <pkg-mutt-maintainers@lists.alioth.debian.org> Changed-By: Antonio Radici <antonio@debian.org> Description: mutt - text-based mailreader supporting MIME, GPG, PGP and threading Closes: 904051 Changes: mutt (1.7.2-1+deb9u1) stretch-security; urgency=high . * Initial changelog entries for security update (Closes: 904051) * Patches provided by Roberto C. Sánchez <roberto@debian.org> + Fix arbitrary command execution by remote IMAP servers via backquote characters, related to the mailboxes command associated with a manual subscription or unsubscription (CVE-2018-14354) + Fix arbitrary command execution by remote IMAP servers via backquote characters, related to the mailboxes command associated with an automatic subscription (CVE-2018-14357) + Fix a stack-based buffer overflow caused by imap_quote_string() not leaving room for quote characters (CVE-2018-14352) + Fix an integer underflow in imap_quote_string() (CVE-2018-14353) + Fix mishandling of zero-length UID in pop.c (CVE-2018-14356) + Fix unsafe interaction between message-cache pathnames and certain characters in pop.c (CVE-2018-14362) + Fix mishandling of ".." directory traversal in IMAP mailbox name (CVE-2018-14355) + Fix a stack-based buffer overflow for an IMAP FETCH response with a long INTERNALDATE field (CVE-2018-14350) + Fix a stack-based buffer overflow for an IMAP FETCH response with a long RFC822.SIZE field (CVE-2018-14358) + Fix mishandling of an IMAP NO response without a message (CVE-2018-14349) + Fix mishandling of long IMAP status mailbox literal count size (CVE-2018-14351) + Fix a buffer overflow via base64 data (CVE-2018-14359) + Fix a stack-based buffer overflow because of incorrect sscanf usage (CVE-2018-14360) + Fix a defect where processing continues if memory allocation fails for NNTP messages (CVE-2018-14361) * Fix unsafe interaction between message-cache pathnames and certain characters in newsrc.c (CVE-2018-14363) Checksums-Sha1: ee6cbca7086be8f154a12c8dd1c7691af3fb8d3a 2261 mutt_1.7.2-1+deb9u1.dsc 39be2b552b99ed16f263487017c68cdbc1c7b384 4025880 mutt_1.7.2.orig.tar.gz f9016623034e6c882c989fa155e9ad1f6180053a 942128 mutt_1.7.2-1+deb9u1.debian.tar.xz 46d6d2d1705ffcddd4dcf707b39f355f760949a9 8197 mutt_1.7.2-1+deb9u1_amd64.buildinfo Checksums-Sha256: 444b1ae5aa891a062cf384eba463b5b3890f165001bf48a660323d6994fad6c6 2261 mutt_1.7.2-1+deb9u1.dsc 1553501687cd22d5b8aaee4dc5a7d9dcf6cc61d7956f6aabaadd252d10cd5ff9 4025880 mutt_1.7.2.orig.tar.gz 2cdb980933fc6c17869af79ae2f574193b1bf3883e8dd514ddc552430590ded6 942128 mutt_1.7.2-1+deb9u1.debian.tar.xz 840f8e44945e240b1bfc4b2dd24084fa84c1d41a0833007715a821ef700742aa 8197 mutt_1.7.2-1+deb9u1_amd64.buildinfo Files: 6d8db98e29b0fa03b1771fbbc513036a 2261 mail optional mutt_1.7.2-1+deb9u1.dsc 15425c4c9946d58c22ccb44901544e6d 4025880 mail optional mutt_1.7.2.orig.tar.gz 01f386aeba296788821facd530dfa6de 942128 mail optional mutt_1.7.2-1+deb9u1.debian.tar.xz 4ed1cded4d079c153ae39af449715077 8197 mail optional mutt_1.7.2-1+deb9u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEQObYrBkA1SRrfOa1NcjIiHLLHu0FAltv620THGFudG9uaW9A ZGViaWFuLm9yZwAKCRA1yMiIcsse7dPhD/91EfWhueQ046CcvhGx5G4O1VvlbxkQ PW1hctvsEcctbDgTWmrHWuuPUzt6KbNBNTHuBJOApSJu5ZUFSTwtomRkw9YYuu/T /jGLeciqBFVFZEzgK65nbhaCXQtTEde2rS2CGFpBxOSyDlNLBb7Tc2aVbzX1T9OJ EBsF9N9/5kTJPlqS27zXM33KQ8iYAlbdMAE3qWpITYk2zdzzPT3evlRxjxQ/u8Tj DLjsElWpAFo5H3dlx5gyjqstJgSURKgJ2wZztHey9ZWVc3zkucnA21Tr5DFy53PS n4B1gq4l8HRDvv+6QGLs9PaJNV+2+AeL+zA2bQlUFhlxjMbJN5hTLEWc3hKoKrsv 4zy4GlNs6ns3HcGCr4q6ouqlQukrVhifo44mgIOIy2+kdmVI0H1vgmOL3I8RBV0T P7AzX2DXDsfgvEU8mICCRblleHrXcgCDUJN4lKq/9j1+//GcGCG4emWG9UucyF28 S5YdG2+O3R6StGISC7i1GiAIB6UWk9oIulesAKk8rST4RvEgPVoiw09UxFzvnAQu +BEEVXpn0NtcLjetH5PmOwsTIBV7jWfA64c/1JTUdT2a7v/QBbQIYlleCOgujrD/ lfTpG8XZ7CxnKjbV1smV9gfRl4Re63i8IVE8Lv1eZuO/aQJmkaQGMMJmGPP9F7QZ VP2nqZzi06KmBA== =YAgc -----END PGP SIGNATURE-----
