CVE-2020-28896

Name	CVE-2020-28896
Description	Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2472-1, ELA-325-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mutt (PTS)	jessie, jessie (lts)	1.5.23-3+deb8u7	fixed
	stretch (security)	1.7.2-1+deb9u6	fixed
	stretch (lts), stretch	1.7.2-1+deb9u7	fixed
	buster (security), buster, buster (lts)	1.10.1-2.1+deb10u7	fixed
	bullseye (security), bullseye	2.0.5-4.1+deb11u3	fixed
	bookworm	2.2.12-0.1~deb12u1	fixed
	bookworm (security)	2.2.9-1+deb12u1	fixed
	sid, trixie	2.2.13-1	fixed
neomutt (PTS)	buster	20180716+dfsg.1-1+deb10u2	fixed
	buster (security), buster (lts)	20180716+dfsg.1-1+deb10u1	vulnerable
	bullseye	20201127+dfsg.1-1.2	fixed
	bookworm	20220429+dfsg1-4.1	fixed
	sid, trixie	20241114+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
mutt	source	jessie	1.5.23-3+deb8u4	ELA-325-1
mutt	source	stretch	1.7.2-1+deb9u4	DLA-2472-1
mutt	source	buster	1.10.1-2.1+deb10u4
mutt	source	(unstable)	2.0.2-1
neomutt	source	buster	20180716+dfsg.1-1+deb10u2
neomutt	source	(unstable)	20201120+dfsg.1-1

Notes

https://gitlab.com/muttmua/mutt/-/commit/04b06aaa3e0cc0022b9b01dbca2863756ebbf59a
https://github.com/neomutt/neomutt/commit/9c36717a3e2af1f2c1b7242035455ec8112b4b06