diff options
author | Kevin McCarthy <kevin@8t8.us> | 2020-11-20 09:32:41 -0800 |
---|---|---|
committer | Kevin McCarthy <kevin@8t8.us> | 2020-11-20 09:32:41 -0800 |
commit | 3d362fa2d997b46b38dbdf596cf6840e12b6bf33 (patch) | |
tree | 57d95c9929440110db22254fd76c2794e582a795 | |
parent | 452dee695317f8891d4ce30556b5e06e0eff7122 (diff) | |
parent | d92689088dfe80a290ec836e292376e2d9984f8f (diff) |
Merge branch 'stable'
-rw-r--r-- | ChangeLog | 43 | ||||
-rw-r--r-- | UPDATING | 4 | ||||
-rw-r--r-- | VERSION | 2 | ||||
-rw-r--r-- | imap/imap.c | 2 |
4 files changed, 49 insertions, 2 deletions
@@ -1,3 +1,46 @@ +2020-11-20 09:20:01 -0800 Kevin McCarthy <kevin@8t8.us> (e4fd9247) + + * Update UPDATING file for 2.0.2. + +M UPDATING + +2020-11-16 10:20:21 -0800 Kevin McCarthy <kevin@8t8.us> (04b06aaa) + + * Ensure IMAP connection is closed after a connection error. + + During connection, if the server provided an illegal initial response, + Mutt "bailed", but did not actually close the connection. The calling + code unfortunately relied on the connection status to decide to + continue with authentication, instead of checking the "bail" return + value. + + This could result in authentication credentials being sent over an + unencrypted connection, without $ssl_force_tls being consulted. + + Fix this by strictly closing the connection on any invalid response + during connection. The fix is intentionally small, to ease + backporting. A better fix would include removing the 'err_close_conn' + label, and perhaps adding return value checking in the caller (though + this change obviates the need for that). + + This addresses CVE-2020-28896. Thanks to Gabriel Salles-Loustau for + reporting the problem, and providing test cases to reproduce. + +M imap/imap.c + +2020-11-19 15:06:51 -0800 Keld Simonsen <keld@keldix.com> (d4c97068) + + * Updated Danish translation. + +M po/da.po + +2020-11-14 13:16:03 -0800 Kevin McCarthy <kevin@8t8.us> (42e08237) + + * automatic post-release commit for mutt-2.0.1 + +M ChangeLog +M VERSION + 2020-11-14 13:10:45 -0800 Kevin McCarthy <kevin@8t8.us> (78fe7d4e) * Update UPDATING file for 2.0.1. @@ -9,6 +9,10 @@ http://www.mutt.org/relnotes/ The keys used are: !: modified feature, -: deleted feature, +: new feature +2.0.2 (2020-11-20): + + ! Bug fix release. + 2.0.1 (2020-11-14): ! Bug fix release. @@ -1 +1 @@ -2.0.1 +2.0.2 diff --git a/imap/imap.c b/imap/imap.c index b24e8a3f..b13dd54d 100644 --- a/imap/imap.c +++ b/imap/imap.c @@ -561,9 +561,9 @@ int imap_open_connection (IMAP_DATA* idata) #if defined(USE_SSL) err_close_conn: - imap_close_connection (idata); #endif bail: + imap_close_connection (idata); FREE (&idata->capstr); return -1; } |