From 3b2939febdeb7f92051f95a3b08cf86e221ce21d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 3 Aug 2020 20:27:38 +0200 Subject: libinterimap: abort on PREAUTH greeting received on plaintext connections Set "STARTTLS = NO" to ignore. This is similar to CVE-2020-12398 and CVE-2020-14093. --- Changelog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'Changelog') diff --git a/Changelog b/Changelog index c6194de..1327c00 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,9 @@ interimap (0.5.2) UNRELEASED; and \[rq] in the groff output anyway). - libinterimap: fix response injection vulnerability after STARTTLS. For background see https://gitlab.com/muttmua/mutt/-/issues/248 . + - libinterimap: abort on PREAUTH greeting received on plaintext + connections (set "STARTTLS = NO" to ignore). This is similar to + CVE-2020-12398 and CVE-2020-14093. * libinterimap: fail when a capability to ENABLE is missing from the server's CAPABILITY listing. -- cgit v1.2.3