Oval Definition:oval:org.opensuse.security:def:110346
Revision Date:2020-11-30Version:1
Title:Security update for neomutt (Moderate)
Description:
This update for neomutt fixes the following issues:

Update neomutt to 20201120. Address boo#1179035, CVE-2020-28896.

* Security
- imap: close connection on all failures
* Features
- alias: add function to Alias/Query dialogs
- config: add validators for {imap,smtp,pop}_authenticators
- config: warn when signature file is missing or not readable
- smtp: support for native SMTP LOGIN auth mech
- notmuch: show originating folder in index
* Bug Fixes
- sidebar: prevent the divider colour bleeding out
- sidebar: fix
- notmuch: fix query for current email
- restore shutdown-hook functionality
- crash in reply-to
- user-after-free in folder-hook
- fix some leaks
- fix application of limits to modified mailboxes
- write Date header when postponing
* Translations
- 100% Lithuanian
- 100% Czech
- 70% Turkish
* Docs
- Document that $sort_alias affects the query menu
* Build
- improve ASAN flags
- add SASL and S/MIME to --everything
- fix contrib (un)install
* Code
- my_hdr compose screen notifications
- add contracts to the MXAPI
- maildir refactoring
- further reduce the use of global variables
* Upstream
- Add $count_alternatives to count attachments inside alternatives
- Changes from 20200925
* Features
- Compose: display user-defined headers
- Address Book / Query: live sorting
- Address Book / Query: patterns for searching
- Config: Add '+=' and '-=' operators for String Lists
- Config: Add '+=' operator for Strings
- Allow postfix query ':setenv NAME?' for env vars
* Bug Fixes
- Fix crash when searching with invalid regexes
- Compose: Prevent infinite loop of send2-hooks
- Fix sidebar on new/removed mailboxes
- Restore indentation for named mailboxes
- Prevent half-parsing an alias
- Remove folder creation prompt for POP path
- Show error if $message_cachedir doesn't point to a valid directory
- Fix tracking LastDir in case of IMAP paths with Unicode characters
- Make sure all mail gets applied the index limit
- Add warnings to -Q query CLI option
- Fix index tracking functionality
* Changed Config
- Add $compose_show_user_headers (yes)
* Translations
- 100% Czech
- 100% Lithuanian
- Split up usage strings
* Build
- Run shellcheck on hcachever.sh
- Add the Address Sanitizer
- Move compose files to lib under compose/
- Move address config into libaddress
- Update to latest acutest - fixes a memory leak in the unit tests
* Code
- Implement ARRAY API
- Deglobalised the Config Sort functions
- Refactor the Sidebar to be Event-Driven
- Refactor the Color Event
- Refactor the Commands list
- Make ctx_update_tables private
- Reduce the scope/deps of some Validator functions
- Use the Email's IMAP UID instead of an increasing number as index
- debug: log window focus
- Removed neomutt-sidebar-abbreviate-shorten-what-user-sees.patch.
No longer needed.

- Update to 20200821:
* Bug Fixes
- fix maildir flag generation
- fix query notmuch if file is missing
- notmuch: don't abort sync on error
- fix type checking for send config variables
* Changed Config
- $sidebar_format - Use %D rather than %B for named mailboxes
* Translations
- 96% Lithuanian
- 90% Polish
- fix(sidebar): abbreviate/shorten what user sees

- Fix sidebar mailbox name display problem.

- Update to 20200814:
* Notes
- Add one-liner docs to config items
See: neomutt -O -Q smart_wrap
- Remove the built-in editor
A large unused and unusable feature
* Security
- Add mitigation against DoS from thousands of parts
boo#1179113
* Features
- Allow index-style searching in postpone menu
- Open NeoMutt using a mailbox name
- Add cd command to change the current working directory
- Add tab-completion menu for patterns
- Allow renaming existing mailboxes
- Check for missing attachments in alternative parts
- Add one-liner docs to config items
* Bug Fixes
- Fix logic in checking an empty From address
- Fix Imap crash in cmd_parse_expunge()
- Fix setting attributes with S-Lang
- Fix: redrawing of $pager_index_lines
- Fix progress percentage for syncing large mboxes
- Fix sidebar drawing in presence of indentation + named mailboxes
- Fix retrieval of drafts when 'postponed' is not in the mailboxes list
- Do not add comments to address group terminators
- Fix alias sorting for degenerate addresses
- Fix attaching emails
- Create directories for nonexistent file hcache case
- Avoid creating mailboxes for failed subscribes
- Fix crash if rejecting cert
* Changed Config
- Add $copy_decode_weed, $pipe_decode_weed, $print_decode_weed
- Change default of $crypt_protected_headers_subject to '...'
- Add default keybindings to history-up/down
* Translations
- 100% Czech
- 100% Spanish
* Build
- Allow building against Lua 5.4
- Fix when sqlite3.h is missing
* Docs
- Add a brief section on stty to the manual
- Update section 'Terminal Keybindings' in the manual
- Clarify PGP Pseudo-header S duration
* Code
- Clean up String API
- Make the Sidebar more independent
- De-centralise the Config Variables
- Refactor dialogs
- Refactor: Help Bar generation
- Make more APIs Context-free
- Adjust the edata use in Maildir and Notmuch
- Window refactoring
- Convert libsend to use Config functions
- Refactor notifications to reduce noise
- Convert Keymaps to use STAILQ
- Track currently selected email by msgid
- Config: no backing global variable
- Add events for key binding
* Upstream
- Fix imap postponed mailbox use-after-free error
- Speed up thread sort when many long threads exist
- Fix ~v tagging when switching to non-threaded sorting
- Add message/global to the list of known 'message' types
- Print progress meter when copying/saving tagged messages
- Remove ansi formatting from autoview generated quoted replies
- Change postpone mode to write Date header too
- Unstuff format=flowed

- Update to 20200626:
* Bug Fixes
- Avoid opening the same hcache file twice
- Re-open Mailbox after folder-hook
- Fix the matching of the spoolfile Mailbox
- Fix link-thread to link all tagged emails
* Changed Config
- Add $tunnel_is_secure config, defaulting to true
* Upstream
- Don't check IMAP PREAUTH encryption if $tunnel is in use
- Add recommendation to use $ssl_force_tls
- Changes from 20200501:
* Security
- Abort GnuTLS certificate check if a cert in the chain is rejected
CVE-2020-14154 boo#1172906
- TLS: clear data after a starttls acknowledgement
CVE-2020-14954 boo#1173197
- Prevent possible IMAP MITM via PREAUTH response
CVE-2020-14093 boo#1172935
* Features
- add config operations +=/-= for number,long
- Address book has a comment field
- Query menu has a comment field
* Contrib
sample.neomuttrc-starter: Do not echo prompted password
* Bug Fixes
- make 'news://' and 'nntp://' schemes interchangeable
- Fix CRLF to LF conversion in base64 decoding
- Double comma in query
- compose: fix redraw after history
- Crash inside empty query menu
- mmdf: fix creating new mailbox
- mh: fix creating new mailbox
- mbox: error out when an mbox/mmdf is a pipe
- Fix list-reply by correct parsing of List-Post headers
- Decode references according to RFC2047
- fix tagged message count
- hcache: fix keylen not being considered when building the full key
- sidebar: fix path comparison
- Don't mess with the original pattern when running IMAP searches
- Handle IMAP 'NO' resps by issuing a msg instead of failing badly
- imap: use the connection delimiter if provided
- Memory leaks
* Changed Config
- $alias_format default changed to include %c comment
- $query_format default changed to include %e extra info
* Translations
- 100% Lithuanian
- 84% French
- Log the translation in use
* Docs
- Add missing commands unbind, unmacro to man pages
* Build
- Check size of long using LONG_MAX instead of __WORDSIZE
- Allow ./configure to not record cflags
- fix out-of-tree build
- Avoid locating gdbm symbols in qdbm library
* Code
- Refactor unsafe TAILQ returns
- add window notifications
- flip negative ifs
- Update to latest acutest.h
- test: add store tests
- test: add compression tests
- graphviz: email
- make more opcode info available
- refactor: main_change_folder()
- refactor: mutt_mailbox_next()
- refactor: generate_body()
- compress: add {min,max}_level to ComprOps
- emphasise empty loops: '// do nothing'
- prex: convert is_from() to use regex
- Refactor IMAP's search routines

- Update to 20200501:
* Bug Fixes
- Make sure buffers are initialized on error
- fix(sidebar): use abbreviated path if possible
* Translations
- 100% Lithuanian
* Docs
- make header cache config more explicit
- Changes from 20200424:
* Bug Fixes
- Fix history corruption
- Handle pretty much anything in a URL query part
- Correctly parse escaped characters in header phrases
- Fix crash reading received header
- Fix sidebar indentation
- Avoid crashing on failure to parse an IMAP mailbox
- Maildir: handle deleted emails correctly
- Ensure OP_NULL is always first
* Translations
- 100% Czech
* Build
- cirrus: enable pcre2, make pkgconf a special case
- Fix finding pcre2 w/o pkgconf
- build: tdb.h needs size_t, bring it in with stddef.h
- Changes from 20200417:
* Features
- Fluid layout for Compose Screen, see: vimeo.com/407231157
- Trivial Database (TDB) header cache backend
- RocksDB header cache backend
- Add and functions
* Bug Fixes
- add error for CLI empty emails
- Allow spaces and square brackets in paths
- browser: fix hidden mailboxes
- fix initial email display
- notmuch: fix time window search.
- fix resize bugs
- notmuch: fix entire-thread: update current email pointer
- sidebar: support indenting and shortening of names
- Handle variables inside backticks in sidebar_whitelist
- browser: fix mask regex error reporting
* Translations
- 100% Lithuanian
- 99% Chinese (simplified)
* Build
- Use regexes for common parsing tasks: urls, dates
- Add configure option --pcre2 -- Enable PCRE2 regular expressions
- Add configure option --tdb -- Use TDB for the header cache
- Add configure option --rocksdb -- Use RocksDB for the header cache
- Create libstore (key/value backends)
- Update to latest autosetup
- Update to latest acutest.h
- Rename doc/ directory to docs/
- make: fix location of .Po dependency files
- Change libcompress to be more universal
- Fix test fails on х32
- fix uidvalidity to unsigned 32-bit int
* Code
- Increase test coverage
- Fix memory leaks
- Fix null checks
* Upstream
- Buffer refactoring
- Fix use-after-free in mutt_str_replace()
- Clarify PGP Pseudo-header S duration
- Try to respect MUTT_QUIET for IMAP contexts too
- Limit recurse depth when parsing mime messages

- Update to 20200320:
* Bug Fixes
- Fix COLUMNS env var
- Fix sync after delete
- Fix crash in notmuch
- Fix sidebar indent
- Fix emptying trash
- Fix command line sending
- Fix reading large address lists
- Resolve symlinks only when necessary
* Translations
- lithuania 100% Lithuanian
- es 96% Spanish
* Docs
- Include OpenSSL/LibreSSL/GnuTLS version in neomutt -v output
- Fix case of GPGME and SQLite
* Build
- Create libcompress (lz4, zlib, zstd)
- Create libhistory
- Create libbcache
- Move zstrm to libconn
* Code
- Add more test coverage
- Rename magic to type
- Use mutt_file_fopen() on config variables
- Change commands to use intptr_t for data

- Update to 20200313:
* Window layout
- Sidebar is only visible when it's usable.
* Features
- UI: add number of old messages to sidebar_format
- UI: support ISO 8601 calendar date
- UI: fix commands that don’t need to have a non-empty mailbox
to be valid
- PGP: inform about successful decryption of inline PGP
messages
- PGP: try to infer the signing key from the From address
- PGP: enable GPGMe by default
- Notmuch: use query as name for vfolder-from-query
- IMAP: add network traffic compression
(COMPRESS=DEFLATE, RFC4978)
- Header cache: add support for generic header cache
compression
* Bug Fixes
- Fix uncollapse_jump
- Only try to perform entire-thread on maildir/mh mailboxes
- Fix crash in pager
- Avoid logging single new lines at the end of header fields
- Fix listing mailboxes
- Do not recurse a non-threaded message
- Fix initial window order
- Fix leaks on IMAP error paths
- Notmuch: compose(attach-message): support notmuch backend
- Fix IMAP flag comparison code
- Fix $move for IMAP mailboxes
- Maildir: maildir_mbox_check_stats should only update mailbox
stats if requested
- Fix unmailboxes for virtual mailboxes
- Maildir: sanitize filename before hashing
- OAuth: if 'login' name isn't available use 'user'
- Add error message on failed encryption
- Fix a bunch of crashes
- Force C locale for email date
- Abort if run without a terminal
* Changed Config
- $crypt_use_gpgme - Now defaults to 'yes' (enabled)
- $abort_backspace - Hitting backspace against an empty prompt
aborts the prompt
- $abort_key - String representation of key to abort prompts
- $arrow_string - Use an custom string for arrow_cursor
- $crypt_opportunistic_encrypt_strong_keys - Enable encryption
only when strong a key is available
- $header_cache_compress_dictionary - Filepath to dictionary
for zstd compression
- $header_cache_compress_level - Level of compression for
method
- $header_cache_compress_method - Enable generic hcache
database compression
- $imap_deflate - Compress network traffic
- $smtp_user - Username for the SMTP server
* Translations
- 100% Lithuanian
- 81% Spanish
- 78% Russian
* Build
- Add libdebug
- Rename public headers to lib.h
- Create libcompress for compressed folders code
* Code
- Refactor Windows and Dialogs
- Lots of code tidying
- Refactor: mutt_addrlist_{search,write}
- Lots of improvements to the Config code
- Use Buffers more pervasively
- Unify API function naming
- Rename library shared headers
- Refactor libconn gui dependencies
- Refactor: init.[ch]
- Refactor config to use subsets
- Config: add path type
- Remove backend deps from the connection code
* Upstream
- Allow ~b ~B ~h patterns in send2-hook
- Rename smime oppenc mode parameter to get_keys_by_addr()
- Add $crypt_opportunistic_encrypt_strong_keys config var
- Fix crash when polling a closed ssl connection
- Turn off auto-clear outside of autocrypt initialization
- Add protected-headers='v1' to Content-Type when protecting
headers
- Fix segv in IMAP postponed menu caused by reopen_allow
- Adding ISO 8601 calendar date
- Fix $fcc_attach to not prompt in batch mode
- Convert remaining mutt_encode_path() call to use struct
Buffer
- Fix rendering of replacement_char when Charset_is_utf8
- Update to latest acutest.h

- Update to 20191207:
* Features:
- compose: draw status bar with highlights
* Bug Fixes:
- crash opening notmuch mailbox
- crash in mutt_autocrypt_ui_recommendation
- Avoid negative allocation
- Mbox new mail
- Setting of DT_MAILBOX type variables from Lua
- imap: empty cmdbuf before connecting
- imap: select the mailbox on reconnect
- compose: fix attach message
* Build:
- make files conditional
* Code:
- enum-ify log levels
- fix function prototypes
- refactor virtual email lookups
- factor out global Context
- Changes from 20191129:
* Features:
- Add raw mailsize expando (%cr)
* Bug Fixes:
- Avoid double question marks in bounce confirmation msg
- Fix bounce confirmation
- fix new-mail flags and behaviour
- fix: browser
- fix ssl crash
- fix move to trash
- fix flickering
- Do not check hidden mailboxes for new mail
- Fix new_mail_command notifications
- fix crash in examine_mailboxes()
- fix crash in mutt_sort_threads()
- fix: crash after sending
- Fix crash in tunnel's conn_close
- fix fcc for deep dirs
- imap: fix crash when new mail arrives
- fix colour 'quoted9'
- quieten messages on exit
- fix: crash after failed mbox_check
- browser: default to a file/dir view when attaching a file
* Changed Config:
- Change $write_bcc to default off
* Docs:
- Add a bit more documentation about sending
- Clarify $write_bcc documentation.
- Update documentation for raw size expando
- docbook: set generate.consistent.ids to make generated html
reproducible
* Build:
- fix build/tests for 32-bit arches
- tests: fix test that would fail soon
- tests: fix context for failing idna tests

- Update to 20191111:
Bug fixes:
* browser: fix directory view
* fix crash in mutt_extract_token()
* force a screen refresh
* fix crash sending message from command line
* notmuch: use nm_default_uri if no mailbox data
* fix forward attachments
* fix: vfprintf undefined behaviour in body_handler
* Fix relative symlink resolution
* fix: trash to non-existent file/dir
* fix re-opening of mbox Mailboxes
* close logging as late as possible
* log unknown mailboxes
* fix crash in command line postpone
* fix memory leaks
* fix icommand parsing
* fix new mail interaction with mail_check_recent
Family:unixClass:patch
Status:Reference(s):1172906
1172935
1173197
1179035
1179113
CVE-2020-14093
CVE-2020-14154
CVE-2020-14954
CVE-2020-28896
openSUSE-SU-2020:2127-1
Platform(s):openSUSE Leap 15.1
Product(s):
Definition Synopsis
  • openSUSE Leap 15.1 is installed
  • AND Package Information
  • neomutt-20201120-lp152.2.3.1 is installed
  • OR neomutt-doc-20201120-lp152.2.3.1 is installed
  • OR neomutt-lang-20201120-lp152.2.3.1 is installed
  • BACK