CVE-2020-14154

NameCVE-2020-14154
DescriptionMutt before 1.14.3 proceeds with a connection even if, in response to a GnuTLS certificate prompt, the user rejects an expired intermediate certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mutt (PTS)jessie, jessie (lts)1.5.23-3+deb8u7vulnerable
stretch (security)1.7.2-1+deb9u6vulnerable
stretch (lts), stretch1.7.2-1+deb9u7vulnerable
buster (security), buster, buster (lts)1.10.1-2.1+deb10u7fixed
bullseye (security), bullseye2.0.5-4.1+deb11u3fixed
bookworm2.2.12-0.1~deb12u1fixed
bookworm (security)2.2.9-1+deb12u1fixed
sid, trixie2.2.13-1fixed
neomutt (PTS)buster20180716+dfsg.1-1+deb10u2vulnerable
buster (security), buster (lts)20180716+dfsg.1-1+deb10u1vulnerable
bullseye20201127+dfsg.1-1.2fixed
bookworm20220429+dfsg1-4.1fixed
sid, trixie20241212+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
muttsourcebuster1.10.1-2.1+deb10u1
muttsource(unstable)1.14.3-1unimportant
neomuttsource(unstable)20200619+dfsg.1-1unimportant

Notes

http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20200608/000022.html
https://gitlab.com/muttmua/mutt/commit/bb0e6277a45a5d4c3a30d3b968eeb31d78124e95
https://gitlab.com/muttmua/mutt/commit/5fccf603ebcf352ba783136d6b2d2600d811fb3b
https://gitlab.com/muttmua/mutt/commit/f64ec1deefb67d471a642004e102cd1c501a1db3
Negligible security impact

Search for package or bug name: Reporting problems