You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is similar to CVE-2014-2567 and CVE-2020-12398. STARTTLS is not
allowed in the Authenticated state, so previously Mutt would
implicitly mark the connection as authenticated and skip any
encryption checking/enabling.
No credentials are exposed, but it does allow messages to be sent to
an attacker, via postpone or fcc'ing for instance.
Reuse the $ssl_starttls quadoption "in reverse" to prompt to abort the
connection if it is unencrypted.
Thanks very much to Damian Poddebniak and Fabian Ising from the
Münster University of Applied Sciences for reporting this issue, and
their help in testing the fix.
0 commit comments