{"affected":[{"ecosystem_specific":{"binaries":[{"neomutt":"20201120-bp151.3.3.1","neomutt-doc":"20201120-bp151.3.3.1","neomutt-lang":"20201120-bp151.3.3.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP1","name":"neomutt","purl":"pkg:rpm/suse/neomutt&distro=SUSE%20Package%20Hub%2015%20SP1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"20201120-bp151.3.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for neomutt fixes the following issues:\n\nUpdate neomutt to 20201120. Address boo#1179035, CVE-2020-28896.\n\n * Security\n - imap: close connection on all failures\n * Features\n - alias: add function to Alias/Query dialogs\n - config: add validators for {imap,smtp,pop}_authenticators\n - config: warn when signature file is missing or not readable\n - smtp: support for native SMTP LOGIN auth mech\n - notmuch: show originating folder in index\n * Bug Fixes\n - sidebar: prevent the divider colour bleeding out\n - sidebar: fix \n - notmuch: fix query for current email\n - restore shutdown-hook functionality\n - crash in reply-to\n - user-after-free in folder-hook\n - fix some leaks\n - fix application of limits to modified mailboxes\n - write Date header when postponing\n * Translations\n - 100% Lithuanian\n - 100% Czech\n - 70% Turkish\n * Docs\n - Document that $sort_alias affects the query menu\n * Build\n - improve ASAN flags\n - add SASL and S/MIME to --everything\n - fix contrib (un)install\n * Code\n - my_hdr compose screen notifications\n - add contracts to the MXAPI\n - maildir refactoring\n - further reduce the use of global variables\n * Upstream\n - Add $count_alternatives to count attachments inside alternatives\n- Changes from 20200925\n * Features\n - Compose: display user-defined headers\n - Address Book / Query: live sorting\n - Address Book / Query: patterns for searching\n - Config: Add '+=' and '-=' operators for String Lists\n - Config: Add '+=' operator for Strings\n - Allow postfix query ':setenv NAME?' for env vars\n * Bug Fixes\n - Fix crash when searching with invalid regexes\n - Compose: Prevent infinite loop of send2-hooks\n - Fix sidebar on new/removed mailboxes\n - Restore indentation for named mailboxes\n - Prevent half-parsing an alias\n - Remove folder creation prompt for POP path\n - Show error if $message_cachedir doesn't point to a valid directory\n - Fix tracking LastDir in case of IMAP paths with Unicode characters\n - Make sure all mail gets applied the index limit\n - Add warnings to -Q query CLI option\n - Fix index tracking functionality\n * Changed Config\n - Add $compose_show_user_headers (yes)\n * Translations\n - 100% Czech\n - 100% Lithuanian\n - Split up usage strings\n * Build\n - Run shellcheck on hcachever.sh\n - Add the Address Sanitizer\n - Move compose files to lib under compose/\n - Move address config into libaddress\n - Update to latest acutest - fixes a memory leak in the unit tests\n * Code\n - Implement ARRAY API\n - Deglobalised the Config Sort functions\n - Refactor the Sidebar to be Event-Driven\n - Refactor the Color Event\n - Refactor the Commands list\n - Make ctx_update_tables private\n - Reduce the scope/deps of some Validator functions\n - Use the Email's IMAP UID instead of an increasing number as index\n - debug: log window focus\n- Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch.\n No longer needed.\n\n- Update to 20200821:\n * Bug Fixes\n - fix maildir flag generation\n - fix query notmuch if file is missing\n - notmuch: don't abort sync on error\n - fix type checking for send config variables\n * Changed Config\n - $sidebar_format - Use %D rather than %B for named mailboxes\n * Translations\n - 96% Lithuanian\n - 90% Polish\n- fix(sidebar): abbreviate/shorten what user sees\n\n- Fix sidebar mailbox name display problem. \n\n- Update to 20200814:\n * Notes\n - Add one-liner docs to config items\n See: neomutt -O -Q smart_wrap\n - Remove the built-in editor\n A large unused and unusable feature\n * Security\n - Add mitigation against DoS from thousands of parts\n boo#1179113\n * Features\n - Allow index-style searching in postpone menu\n - Open NeoMutt using a mailbox name\n - Add cd command to change the current working directory\n - Add tab-completion menu for patterns\n - Allow renaming existing mailboxes\n - Check for missing attachments in alternative parts\n - Add one-liner docs to config items\n * Bug Fixes\n - Fix logic in checking an empty From address\n - Fix Imap crash in cmd_parse_expunge()\n - Fix setting attributes with S-Lang\n - Fix: redrawing of $pager_index_lines\n - Fix progress percentage for syncing large mboxes\n - Fix sidebar drawing in presence of indentation + named mailboxes\n - Fix retrieval of drafts when 'postponed' is not in the mailboxes list\n - Do not add comments to address group terminators\n - Fix alias sorting for degenerate addresses\n - Fix attaching emails\n - Create directories for nonexistent file hcache case\n - Avoid creating mailboxes for failed subscribes\n - Fix crash if rejecting cert\n * Changed Config\n - Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed\n - Change default of $crypt_protected_headers_subject to '...'\n - Add default keybindings to history-up/down\n * Translations\n - 100% Czech\n - 100% Spanish\n * Build\n - Allow building against Lua 5.4\n - Fix when sqlite3.h is missing\n * Docs\n - Add a brief section on stty to the manual\n - Update section 'Terminal Keybindings' in the manual\n - Clarify PGP Pseudo-header S duration\n * Code\n - Clean up String API\n - Make the Sidebar more independent\n - De-centralise the Config Variables\n - Refactor dialogs\n - Refactor: Help Bar generation\n - Make more APIs Context-free\n - Adjust the edata use in Maildir and Notmuch\n - Window refactoring\n - Convert libsend to use Config functions\n - Refactor notifications to reduce noise\n - Convert Keymaps to use STAILQ\n - Track currently selected email by msgid\n - Config: no backing global variable\n - Add events for key binding\n * Upstream\n - Fix imap postponed mailbox use-after-free error\n - Speed up thread sort when many long threads exist\n - Fix ~v tagging when switching to non-threaded sorting\n - Add message/global to the list of known 'message' types\n - Print progress meter when copying/saving tagged messages\n - Remove ansi formatting from autoview generated quoted replies\n - Change postpone mode to write Date header too\n - Unstuff format=flowed\n\n- Update to 20200626:\n * Bug Fixes\n - Avoid opening the same hcache file twice\n - Re-open Mailbox after folder-hook\n - Fix the matching of the spoolfile Mailbox\n - Fix link-thread to link all tagged emails\n * Changed Config\n - Add $tunnel_is_secure config, defaulting to true\n * Upstream\n - Don't check IMAP PREAUTH encryption if $tunnel is in use\n - Add recommendation to use $ssl_force_tls\n- Changes from 20200501:\n * Security\n - Abort GnuTLS certificate check if a cert in the chain is rejected\n CVE-2020-14154 boo#1172906\n - TLS: clear data after a starttls acknowledgement\n CVE-2020-14954 boo#1173197\n - Prevent possible IMAP MITM via PREAUTH response\n CVE-2020-14093 boo#1172935\n * Features\n - add config operations +=/-= for number,long\n - Address book has a comment field\n - Query menu has a comment field\n * Contrib\n sample.neomuttrc-starter: Do not echo prompted password\n * Bug Fixes\n - make 'news://' and 'nntp://' schemes interchangeable\n - Fix CRLF to LF conversion in base64 decoding\n - Double comma in query\n - compose: fix redraw after history\n - Crash inside empty query menu\n - mmdf: fix creating new mailbox\n - mh: fix creating new mailbox\n - mbox: error out when an mbox/mmdf is a pipe\n - Fix list-reply by correct parsing of List-Post headers\n - Decode references according to RFC2047\n - fix tagged message count\n - hcache: fix keylen not being considered when building the full key\n - sidebar: fix path comparison\n - Don't mess with the original pattern when running IMAP searches\n - Handle IMAP 'NO' resps by issuing a msg instead of failing badly\n - imap: use the connection delimiter if provided\n - Memory leaks\n * Changed Config\n - $alias_format default changed to include %c comment\n - $query_format default changed to include %e extra info\n * Translations\n - 100% Lithuanian\n - 84% French\n - Log the translation in use\n * Docs\n - Add missing commands unbind, unmacro to man pages\n * Build\n - Check size of long using LONG_MAX instead of __WORDSIZE\n - Allow ./configure to not record cflags\n - fix out-of-tree build\n - Avoid locating gdbm symbols in qdbm library\n * Code\n - Refactor unsafe TAILQ returns\n - add window notifications\n - flip negative ifs\n - Update to latest acutest.h\n - test: add store tests\n - test: add compression tests\n - graphviz: email\n - make more opcode info available\n - refactor: main_change_folder()\n - refactor: mutt_mailbox_next()\n - refactor: generate_body()\n - compress: add {min,max}_level to ComprOps\n - emphasise empty loops: '// do nothing'\n - prex: convert is_from() to use regex\n - Refactor IMAP's search routines\n\n- Update to 20200501:\n * Bug Fixes\n - Make sure buffers are initialized on error\n - fix(sidebar): use abbreviated path if possible\n * Translations\n - 100% Lithuanian\n * Docs\n - make header cache config more explicit\n- Changes from 20200424:\n * Bug Fixes\n - Fix history corruption\n - Handle pretty much anything in a URL query part\n - Correctly parse escaped characters in header phrases\n - Fix crash reading received header\n - Fix sidebar indentation\n - Avoid crashing on failure to parse an IMAP mailbox\n - Maildir: handle deleted emails correctly\n - Ensure OP_NULL is always first\n * Translations\n - 100% Czech\n * Build\n - cirrus: enable pcre2, make pkgconf a special case\n - Fix finding pcre2 w/o pkgconf\n - build: tdb.h needs size_t, bring it in with stddef.h\n- Changes from 20200417:\n * Features\n - Fluid layout for Compose Screen, see: vimeo.com/407231157\n - Trivial Database (TDB) header cache backend\n - RocksDB header cache backend\n - Add and functions\n * Bug Fixes\n - add error for CLI empty emails\n - Allow spaces and square brackets in paths\n - browser: fix hidden mailboxes\n - fix initial email display\n - notmuch: fix time window search.\n - fix resize bugs\n - notmuch: fix entire-thread: update current email pointer\n - sidebar: support indenting and shortening of names\n - Handle variables inside backticks in sidebar_whitelist\n - browser: fix mask regex error reporting\n * Translations\n - 100% Lithuanian\n - 99% Chinese (simplified)\n * Build\n - Use regexes for common parsing tasks: urls, dates\n - Add configure option --pcre2 -- Enable PCRE2 regular expressions\n - Add configure option --tdb -- Use TDB for the header cache\n - Add configure option --rocksdb -- Use RocksDB for the header cache\n - Create libstore (key/value backends)\n - Update to latest autosetup\n - Update to latest acutest.h\n - Rename doc/ directory to docs/\n - make: fix location of .Po dependency files\n - Change libcompress to be more universal\n - Fix test fails on х32\n - fix uidvalidity to unsigned 32-bit int\n * Code\n - Increase test coverage\n - Fix memory leaks\n - Fix null checks\n * Upstream\n - Buffer refactoring\n - Fix use-after-free in mutt_str_replace()\n - Clarify PGP Pseudo-header S duration\n - Try to respect MUTT_QUIET for IMAP contexts too\n - Limit recurse depth when parsing mime messages\n\n- Update to 20200320:\n * Bug Fixes\n - Fix COLUMNS env var\n - Fix sync after delete\n - Fix crash in notmuch\n - Fix sidebar indent\n - Fix emptying trash\n - Fix command line sending\n - Fix reading large address lists\n - Resolve symlinks only when necessary\n * Translations\n - lithuania 100% Lithuanian\n - es 96% Spanish\n * Docs\n - Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output\n - Fix case of GPGME and SQLite\n * Build\n - Create libcompress (lz4, zlib, zstd)\n - Create libhistory\n - Create libbcache\n - Move zstrm to libconn\n * Code\n - Add more test coverage\n - Rename magic to type\n - Use mutt_file_fopen() on config variables\n - Change commands to use intptr_t for data\n\n- Update to 20200313:\n * Window layout\n - Sidebar is only visible when it's usable.\n * Features\n - UI: add number of old messages to sidebar_format\n - UI: support ISO 8601 calendar date\n - UI: fix commands that don’t need to have a non-empty mailbox\n to be valid\n - PGP: inform about successful decryption of inline PGP\n messages\n - PGP: try to infer the signing key from the From address\n - PGP: enable GPGMe by default\n - Notmuch: use query as name for vfolder-from-query\n - IMAP: add network traffic compression\n (COMPRESS=DEFLATE, RFC4978)\n - Header cache: add support for generic header cache\n compression\n * Bug Fixes\n - Fix uncollapse_jump\n - Only try to perform entire-thread on maildir/mh mailboxes\n - Fix crash in pager\n - Avoid logging single new lines at the end of header fields\n - Fix listing mailboxes\n - Do not recurse a non-threaded message\n - Fix initial window order\n - Fix leaks on IMAP error paths\n - Notmuch: compose(attach-message): support notmuch backend\n - Fix IMAP flag comparison code\n - Fix $move for IMAP mailboxes\n - Maildir: maildir_mbox_check_stats should only update mailbox\n stats if requested\n - Fix unmailboxes for virtual mailboxes\n - Maildir: sanitize filename before hashing\n - OAuth: if 'login' name isn't available use 'user'\n - Add error message on failed encryption\n - Fix a bunch of crashes\n - Force C locale for email date\n - Abort if run without a terminal\n * Changed Config\n - $crypt_use_gpgme - Now defaults to 'yes' (enabled)\n - $abort_backspace - Hitting backspace against an empty prompt\n aborts the prompt\n - $abort_key - String representation of key to abort prompts\n - $arrow_string - Use an custom string for arrow_cursor\n - $crypt_opportunistic_encrypt_strong_keys - Enable encryption\n only when strong a key is available\n - $header_cache_compress_dictionary - Filepath to dictionary\n for zstd compression\n - $header_cache_compress_level - Level of compression for\n method\n - $header_cache_compress_method - Enable generic hcache\n database compression\n - $imap_deflate - Compress network traffic\n - $smtp_user - Username for the SMTP server\n * Translations\n - 100% Lithuanian\n - 81% Spanish\n - 78% Russian\n * Build\n - Add libdebug\n - Rename public headers to lib.h\n - Create libcompress for compressed folders code\n * Code\n - Refactor Windows and Dialogs\n - Lots of code tidying\n - Refactor: mutt_addrlist_{search,write}\n - Lots of improvements to the Config code\n - Use Buffers more pervasively\n - Unify API function naming\n - Rename library shared headers\n - Refactor libconn gui dependencies\n - Refactor: init.[ch]\n - Refactor config to use subsets\n - Config: add path type\n - Remove backend deps from the connection code\n * Upstream\n - Allow ~b ~B ~h patterns in send2-hook\n - Rename smime oppenc mode parameter to get_keys_by_addr()\n - Add $crypt_opportunistic_encrypt_strong_keys config var\n - Fix crash when polling a closed ssl connection\n - Turn off auto-clear outside of autocrypt initialization\n - Add protected-headers='v1' to Content-Type when protecting\n headers\n - Fix segv in IMAP postponed menu caused by reopen_allow\n - Adding ISO 8601 calendar date\n - Fix $fcc_attach to not prompt in batch mode\n - Convert remaining mutt_encode_path() call to use struct\n Buffer\n - Fix rendering of replacement_char when Charset_is_utf8\n - Update to latest acutest.h\n\n- Update to 20191207:\n * Features:\n - compose: draw status bar with highlights\n * Bug Fixes:\n - crash opening notmuch mailbox\n - crash in mutt_autocrypt_ui_recommendation\n - Avoid negative allocation\n - Mbox new mail\n - Setting of DT_MAILBOX type variables from Lua\n - imap: empty cmdbuf before connecting\n - imap: select the mailbox on reconnect\n - compose: fix attach message\n * Build:\n - make files conditional\n * Code:\n - enum-ify log levels\n - fix function prototypes\n - refactor virtual email lookups\n - factor out global Context\n- Changes from 20191129:\n * Features:\n - Add raw mailsize expando (%cr)\n * Bug Fixes:\n - Avoid double question marks in bounce confirmation msg\n - Fix bounce confirmation\n - fix new-mail flags and behaviour\n - fix: browser \n - fix ssl crash\n - fix move to trash\n - fix flickering\n - Do not check hidden mailboxes for new mail\n - Fix new_mail_command notifications\n - fix crash in examine_mailboxes()\n - fix crash in mutt_sort_threads()\n - fix: crash after sending\n - Fix crash in tunnel's conn_close\n - fix fcc for deep dirs\n - imap: fix crash when new mail arrives\n - fix colour 'quoted9'\n - quieten messages on exit\n - fix: crash after failed mbox_check\n - browser: default to a file/dir view when attaching a file\n * Changed Config:\n - Change $write_bcc to default off\n * Docs:\n - Add a bit more documentation about sending\n - Clarify $write_bcc documentation.\n - Update documentation for raw size expando\n - docbook: set generate.consistent.ids to make generated html\n reproducible\n * Build:\n - fix build/tests for 32-bit arches\n - tests: fix test that would fail soon\n - tests: fix context for failing idna tests\n\n- Update to 20191111:\n Bug fixes:\n * browser: fix directory view\n * fix crash in mutt_extract_token()\n * force a screen refresh\n * fix crash sending message from command line\n * notmuch: use nm_default_uri if no mailbox data\n * fix forward attachments\n * fix: vfprintf undefined behaviour in body_handler\n * Fix relative symlink resolution\n * fix: trash to non-existent file/dir\n * fix re-opening of mbox Mailboxes\n * close logging as late as possible\n * log unknown mailboxes\n * fix crash in command line postpone\n * fix memory leaks\n * fix icommand parsing\n * fix new mail interaction with mail_check_recent\n\nThis update was imported from the openSUSE:Leap:15.1:Update update project.","id":"openSUSE-SU-2020:2157-1","modified":"2020-12-04T09:23:27Z","published":"2020-12-04T09:23:27Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SO2YEN5NDIBWU3W774SS3UQQJQHS3Y2L/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1172906"},{"type":"REPORT","url":"https://bugzilla.suse.com/1172935"},{"type":"REPORT","url":"https://bugzilla.suse.com/1173197"},{"type":"REPORT","url":"https://bugzilla.suse.com/1179035"},{"type":"REPORT","url":"https://bugzilla.suse.com/1179113"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-14093"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-14154"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-14954"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-28896"}],"related":["CVE-2020-14093","CVE-2020-14154","CVE-2020-14954","CVE-2020-28896"],"summary":"Security update for neomutt","upstream":["CVE-2020-14093","CVE-2020-14154","CVE-2020-14954","CVE-2020-28896"]}