Patch to fix CVE-2020-14093.
Imported directly from upstream:
https://gitlab.com/muttmua/mutt/-/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01

Tracked on https://bugs.debian.org/962897

--- a/imap/imap.c
+++ b/imap/imap.c
@@ -464,6 +464,22 @@
   }
   else if (ascii_strncasecmp ("* PREAUTH", idata->buf, 9) == 0)
   {
+#if defined(USE_SSL)
+    /* An unencrypted PREAUTH response is most likely a MITM attack.
+     * Require a confirmation. */
+    if (!idata->conn->ssf)
+    {
+      if (option(OPTSSLFORCETLS) ||
+          (query_quadoption (OPT_SSLSTARTTLS,
+                             _("Abort unencrypted PREAUTH connection?")) != MUTT_NO))
+      {
+        mutt_error _("Encrypted connection unavailable");
+        mutt_sleep (1);
+        goto err_close_conn;
+      }
+    }
+#endif
+
     idata->state = IMAP_AUTHENTICATED;
     if (imap_check_capabilities (idata) != 0)
       goto bail;