group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #26199
[Bug 1794278] Re: Security patches not applied to xenial mutt
I've uploaded a corrected version of mutt to the ubuntu-security-
proposed ppa at https://launchpad.net/~ubuntu-security-
proposed/+archive/ubuntu/ppa/+packages and will release it to xenial-
security after testing. Please report any feedback you have here.
Thanks again for the report!
** Information type changed from Private Security to Public Security
** Also affects: mutt (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: mutt (Ubuntu Xenial)
Status: New => Triaged
** Changed in: mutt (Ubuntu Xenial)
Importance: Undecided => High
** Changed in: mutt (Ubuntu Xenial)
Assignee: (unassigned) => Steve Beattie (sbeattie)
** Changed in: mutt (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1794278
Title:
Security patches not applied to xenial mutt
Status in mutt package in Ubuntu:
Fix Released
Status in mutt source package in Xenial:
Triaged
Bug description:
Hi,
The version of mutt in 16.04 LTS (1.5.24-1ubuntu0.1) seems to be
missing all ubuntu supplied security patches. In particular, the
following list:
ubuntu/mutt-CVE-2018-14349.patch
ubuntu/mutt-CVE-2018-14350-CVE-2018-14358.patch
ubuntu/mutt-CVE-2018-14351.patch
ubuntu/mutt-CVE-2018-14352-CVE-2018-14353.patch
ubuntu/mutt-CVE-2018-14354-CVE-2018-14357.patch
ubuntu/mutt-CVE-2018-14355.patch
ubuntu/mutt-CVE-2018-14356.patch
ubuntu/mutt-CVE-2018-14359.patch
ubuntu/mutt-CVE-2018-14362.patch
...is NOT applied to the standard mutt version, only to the "enhanced"
version.
Output of mutt -v shows the list of applied patches (see bottom):
Mutt 1.5.24 (2015-08-30)
Copyright (C) 1996-2009 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.
System: Linux 4.15.0-35-generic (x86_64)
ncurses: ncurses 6.0.20160213 (compiled with 6.0)
libidn: 1.32 (compiled with 1.32)
hcache backend: tokyocabinet 1.4.48
Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/5/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 5.4.0-6ubuntu1~16.04.10' --with-bugurl=file:///usr/share/doc/gcc-5/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-5 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-5-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-5-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-5-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10)
Configure options: '--prefix=/usr' '--sysconfdir=/etc' '--
mandir=/usr/share/man' '--with-docdir=/usr/share/doc' '--with-
mailpath=/var/mail' '--disable-dependency-tracking' '--enable-
compressed' '--enable-debug' '--enable-fcntl' '--enable-hcache'
'--enable-gpgme' '--enable-imap' '--enable-smtp' '--enable-pop'
'--with-curses' '--with-gnutls' '--with-gss' '--with-idn' '--with-
mixmaster' '--with-sasl' '--without-gdbm' '--without-bdb' '--without-
qdbm' '--build' 'x86_64-linux-gnu' 'build_alias=x86_64-linux-gnu'
'CFLAGS=-g -O2 -fstack-protector-strong -Wformat -Werror=format-
security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 -I/usr/include/qdbm'
Compilation CFLAGS: -g -O2 -fstack-protector-strong -Wformat -Werror
=format-security -Wall
Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL +USE_SETGID +USE_DOTLOCK +DL_STANDALONE +USE_FCNTL -USE_FLOCK
+USE_POP +USE_IMAP +USE_SMTP
-USE_SSL_OPENSSL +USE_SSL_GNUTLS +USE_SASL +USE_GSS +HAVE_GETADDRINFO
+HAVE_REGCOMP -USE_GNU_REGEX
+HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET
+HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM
+CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME +CRYPT_BACKEND_GPGME
-EXACT_ADDRESS -SUN_ATTACHMENT
+ENABLE_NLS -LOCALES_HACK +COMPRESSED +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR
+HAVE_ICONV -ICONV_NONTRANS +HAVE_LIBIDN +HAVE_GETSID +USE_HCACHE
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
MIXMASTER="mixmaster"
To contact the developers, please mail to <mutt-dev@xxxxxxxx>.
To report a bug, please visit http://bugs.mutt.org/.
misc/am-maintainer-mode.patch
features/ifdef.patch
features/trash-folder.patch
features/purge-message.patch
features/imap_fast_trash.patch
features/sensible_browser_position.patch
features/compressed-folders.patch
features/compressed-folders.debian.patch
debian-specific/Muttrc.patch
debian-specific/Md.etc_mailname_gethostbyname.patch
debian-specific/use_usr_bin_editor.patch
debian-specific/correct_docdir_in_man_page.patch
debian-specific/dont_document_not_present_features.patch
debian-specific/document_debian_defaults.patch
debian-specific/assumed_charset-compat.patch
debian-specific/467432-write_bcc.patch
debian-specific/566076-build_doc_adjustments.patch
misc/define-pgp_getkeys_command.patch
misc/gpg.rc-paths.patch
misc/smime.rc.patch
misc/fix-configure-test-operator.patch
upstream/531430-imapuser.patch
upstream/543467-thread-segfault.patch
upstream/548577-gpgme-1.2.patch
upstream/553321-ansi-escape-segfault.patch
upstream/528233-readonly-open.patch
upstream/228671-pipe-mime.patch
upstream/383769-score-match.patch
upstream/603288-split-fetches.patch
upstream/611410-no-implicit_autoview-for-text-html.patch
upstream/771125-CVE-2014-9116-jessie.patch
upstream/path_max.patch
translations/update_german_translation.patch
__separator__mutt.org.patch
It would appear that the maintainer who applied the security patches
was insufficiently aware of the hack used to generate the normal and
patched versions of the package.
cheers,
Wessel Dankers
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mutt/+bug/1794278/+subscriptions