Merge branch 'stable'

4 files changed, 49 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index eb3ce585..04be5dac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,46 @@
+2020-11-20 09:20:01 -0800  Kevin McCarthy  <kevin@8t8.us> (e4fd9247)
+
+        * Update UPDATING file for 2.0.2.
+
+M	UPDATING
+
+2020-11-16 10:20:21 -0800  Kevin McCarthy  <kevin@8t8.us> (04b06aaa)
+
+        * Ensure IMAP connection is closed after a connection error.
+        
+        During connection, if the server provided an illegal initial response,
+        Mutt "bailed", but did not actually close the connection.  The calling
+        code unfortunately relied on the connection status to decide to
+        continue with authentication, instead of checking the "bail" return
+        value.
+        
+        This could result in authentication credentials being sent over an
+        unencrypted connection, without $ssl_force_tls being consulted.
+        
+        Fix this by strictly closing the connection on any invalid response
+        during connection.  The fix is intentionally small, to ease
+        backporting.  A better fix would include removing the 'err_close_conn'
+        label, and perhaps adding return value checking in the caller (though
+        this change obviates the need for that).
+        
+        This addresses CVE-2020-28896.  Thanks to Gabriel Salles-Loustau for
+        reporting the problem, and providing test cases to reproduce.
+
+M	imap/imap.c
+
+2020-11-19 15:06:51 -0800  Keld Simonsen  <keld@keldix.com> (d4c97068)
+
+        * Updated Danish translation.
+
+M	po/da.po
+
+2020-11-14 13:16:03 -0800  Kevin McCarthy  <kevin@8t8.us> (42e08237)
+
+        * automatic post-release commit for mutt-2.0.1
+
+M	ChangeLog
+M	VERSION
+
 2020-11-14 13:10:45 -0800  Kevin McCarthy  <kevin@8t8.us> (78fe7d4e)
 
         * Update UPDATING file for 2.0.1.
diff --git a/UPDATING b/UPDATING
index 25ffb3ce..0db51b51 100644
--- a/UPDATING
+++ b/UPDATING
@@ -9,6 +9,10 @@ http://www.mutt.org/relnotes/
 The keys used are:
   !: modified feature, -: deleted feature, +: new feature
 
+2.0.2 (2020-11-20):
+
+  ! Bug fix release.
+
 2.0.1 (2020-11-14):
 
   ! Bug fix release.
diff --git a/VERSION b/VERSION
index 38f77a65..e9307ca5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.0.1
+2.0.2
diff --git a/imap/imap.c b/imap/imap.c
index b24e8a3f..b13dd54d 100644
--- a/imap/imap.c
+++ b/imap/imap.c
@@ -561,9 +561,9 @@ int imap_open_connection (IMAP_DATA* idata)
 
 #if defined(USE_SSL)
 err_close_conn:
-  imap_close_connection (idata);
 #endif
 bail:
+  imap_close_connection (idata);
   FREE (&idata->capstr);
   return -1;
 }