FreeBSD Bugzilla – Attachment 195177 Details for
Bug 229810
security/vuxml: add entry for mail/mutt 1.10.1
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Add entry for mail/mutt 1.10.1
0001-security-vuxml-add-entry-for-mail-mutt-1.10.1.patch (text/plain), 2.14 KB, created by
Derek Schrock
on 2018-07-16 18:53:42 UTC
(
hide
)
Description:
Add entry for mail/mutt 1.10.1
Filename:
MIME Type:
Creator:
Derek Schrock
Created:
2018-07-16 18:53:42 UTC
Size:
2.14 KB
patch
obsolete
>From 87ada6ad71148ab2d1481547063b174dfa6a3605 Mon Sep 17 00:00:00 2001 >From: Derek Schrock <dereks@lifeofadishwasher.com> >Date: Mon, 16 Jul 2018 14:44:29 -0400 >Subject: [PATCH] security/vuxml: add entry for mail/mutt 1.10.1 > >--- > security/vuxml/vuln.xml | 33 +++++++++++++++++++++++++++++++++ > 1 file changed, 33 insertions(+) > >diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml >index 03bfc2dcae35..66dca5a16794 100644 >--- a/security/vuxml/vuln.xml >+++ b/security/vuxml/vuln.xml >@@ -58,6 +58,39 @@ Notes: > * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) > --> > <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> >+ <vuln vid="c133fcbe-8924-11e8-8fa5-4437e6ad11c4"> >+ <topic>mutt -- remote code injection and path traversal vulnerability</topic> >+ <affects> >+ <package> >+ <name>mutt</name> >+ <range><lt>1.10.1</lt></range> >+ </package> >+ </affects> >+ <description> >+ <body xmlns="http://www.w3.org/1999/xhtml"> >+ <p>Kevin J. McCarthy reports:</p> >+ <blockquote cite="http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20180716/000004.html"> >+ <p> Fixes a remote code injection vulnerability when "subscribing" >+ to an IMAP mailbox, either via $imap_check_subscribed, or via the >+ <subscribe> function in the browser menu. Mutt was generating a >+ "mailboxes" command and sending that along to the muttrc parser. >+ However, it was not escaping "`", which executes code and inserts >+ the result. This would allow a malicious IMAP server to execute >+ arbitrary code (for $imap_check_subscribed).</p> >+ <p>Fixes POP body caching path traversal vulnerability.</p> >+ <p>Fixes IMAP header caching path traversal vulnerability.</p> >+ </blockquote> >+ </body> >+ </description> >+ <references> >+ <url>http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20180716/000004.html</url> >+ </references> >+ <dates> >+ <discovery>2018-07-15</discovery> >+ <entry>2018-07-16</entry> >+ </dates> >+ </vuln> >+ > <vuln vid="fe93803c-883f-11e8-9f0c-001b216d295b"> > <topic>Several Security Defects in the Bouncy Castle Crypto APIs</topic> > <affects> >-- >2.18.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=195177">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 229810
:
195177
|
195221