Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3b4692b8-1f75-259a-0608-8511e076a461@oracle.com>
Date: Thu, 14 Apr 2022 16:21:52 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: mutt 2.2.3 released - fixes CVE-2022-1328

https://marc.info/?l=mutt-users&m=164979464612885&w=2 says:

> From: "Kevin J. McCarthy" <kevin () 8t8 ! us>
> Date: Tue, 12 Apr 2022 20:16:44 +0000
> To: mutt-users
> Subject: mutt 2.2.3 released
> 
> Hello Mutt Users,
> 
> I've just released version 2.2.3.  Instructions for downloading are 
> available at <http://www.mutt.org/download.html>, or the tarball can be 
> directly downloaded from <http://ftp.mutt.org/pub/mutt/>.  Please take 
> the time to verify the signature file against my public key[1].
> 
> This is a bug-fix release, addressing CVE-2022-1328: a buffer overread 
> in the uuencoded decoder routine.  For more details please see GitLab 
> ticket 404: <https://gitlab.com/muttmua/mutt/-/issues/404>.  The commit 
> fixing this issue is at 
> <https://gitlab.com/muttmua/mutt/-/commit/e5ed080c00e59701ca62ef9b2a6d2612ebf765a5>
> 
> Also fixed were a possible integer overflow issue in the general iconv 
> and rfc2047-conversion iconv functions.  These are not believed to be 
> exploitable.
> 
> A huge thank you to Tavis Ormandy for reporting these issues, suggesting 
> a patch for the iconv issue, helping test, and providing constructive 
> feedback.  Hurray for the white-hats!
> 
> -Kevin
> 
> [1]
> My public key is available at:
>    - my personal website: https://www.8t8.us/configs/80316BDA.asc.pubkey
>    - the mutt website: http://www.mutt.org/keys/kevin.key
>    - The keys.openpgp.org network
>      https://keys.openpgp.org/vks/v1/by-fingerprint/8975A9B33AA37910385C5308ADEF768480316BDA

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.