doc/neomuttrc.head | 39 37 + 2 - 0 !
1 file changed, 37 insertions(+), 2 deletions(-)

---

init.c | 2 2 + 0 - 0 !
init.h | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 1 deletion(-)

 use_usr_bin_editor

Even if EDITOR is not set, mutt will always use /usr/bin/editor
(which is set by update-alternatives), rather than falling back
to vi.

init.h | 19 19 + 0 - 0 !
1 file changed, 19 insertions(+)

 document_debian_defaults

Some customization of the option which are straying
from the default only on Debian systems.

contrib/smime.rc | 20 11 + 9 - 0 !
1 file changed, 11 insertions(+), 9 deletions(-)

 smime.rc

Add CA's provided by ca-certificates to the ones
distributed by the default installation of Mutt.

Signed-off-by: Matteo F. Vescovi <mfv@debian.org>

imap/imap.c | 22 22 + 0 - 0 !
1 file changed, 22 insertions(+)

 [patch] prevent possible imap mitm via preauth response
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is similar to CVE-2014-2567 and CVE-2020-12398.  STARTTLS is not
allowed in the Authenticated state, so previously Mutt would
implicitly mark the connection as authenticated and skip any
encryption checking/enabling.

No credentials are exposed, but it does allow messages to be sent to
an attacker, via postpone or fcc'ing for instance.

Reuse the $ssl_starttls quadoption "in reverse" to prompt to abort the
connection if it is unencrypted.

Thanks very much to Damian Poddebniak and Fabian Ising from the
Mnster University of Applied Sciences for reporting this issue, and
their help in testing the fix.

conn/socket.c | 20 20 + 0 - 0 !
conn/socket.h | 1 1 + 0 - 0 !
imap/command.c | 13 12 + 1 - 0 !
imap/imap.c | 5 4 + 1 - 0 !
imap/imap_private.h | 1 1 + 0 - 0 !
nntp.c | 2 2 + 0 - 0 !
pop_lib.c | 2 2 + 0 - 0 !
smtp.c | 2 2 + 0 - 0 !
8 files changed, 44 insertions(+), 2 deletions(-)

---

imap/imap.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] ensure imap connection is closed after a connection error.

During connection, if the server provided an illegal initial response,
Mutt "bailed", but did not actually close the connection.  The calling
code unfortunately relied on the connection status to decide to
continue with authentication, instead of checking the "bail" return
value.

This could result in authentication credentials being sent over an
unencrypted connection, without $ssl_force_tls being consulted.

Fix this by strictly closing the connection on any invalid response
during connection.  The fix is intentionally small, to ease
backporting.  A better fix would include removing the 'err_close_conn'
label, and perhaps adding return value checking in the caller (though
this change obviates the need for that).

This addresses CVE-2020-28896.  Thanks to Gabriel Salles-Loustau for
reporting the problem, and providing test cases to reproduce.