Your message dated Sun, 07 Jun 2026 17:34:37 +0000
with message-id <[email protected]>
and subject line Bug#1135699: fixed in mutt 2.3.2-1
has caused the Debian Bug report #1135699,
regarding mutt: CVE-2026-43859 CVE-2026-43860 CVE-2026-43861 CVE-2026-43862
CVE-2026-43863 CVE-2026-43864
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135699: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135699
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mutt
Version: 2.2.13-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for mutt.
CVE-2026-43859[0]:
| mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the
| IMAP auth_cram MD5 digest.
CVE-2026-43860[1]:
| mutt before 2.3.2 sometimes truncates the hash_passwd by one byte
| for IMAP auth_cram MD5 digest.
CVE-2026-43861[2]:
| mutt before 2.3.2 does not check for '\0' in url_pct_decode.
CVE-2026-43862[3]:
| In mutt before 2.3.2, the imap_auth_gss security level is
| mishandled.
CVE-2026-43863[4]:
| mutt before 2.3.2 has an infinite loop in data_object_to_stream in
| crypt-gpgme.c.
CVE-2026-43864[5]:
| mutt before 2.3.2 has a show_sig_summary NULL pointer dereference.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43859
https://www.cve.org/CVERecord?id=CVE-2026-43859
[1] https://security-tracker.debian.org/tracker/CVE-2026-43860
https://www.cve.org/CVERecord?id=CVE-2026-43860
[2] https://security-tracker.debian.org/tracker/CVE-2026-43861
https://www.cve.org/CVERecord?id=CVE-2026-43861
[3] https://security-tracker.debian.org/tracker/CVE-2026-43862
https://www.cve.org/CVERecord?id=CVE-2026-43862
[4] https://security-tracker.debian.org/tracker/CVE-2026-43863
https://www.cve.org/CVERecord?id=CVE-2026-43863
[5] https://security-tracker.debian.org/tracker/CVE-2026-43864
https://www.cve.org/CVERecord?id=CVE-2026-43864
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mutt
Source-Version: 2.3.2-1
Done: Antonio Radici <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Radici <[email protected]> (supplier of updated mutt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Jun 2026 18:55:21 +0200
Source: mutt
Architecture: source
Version: 2.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Mutt maintainers <[email protected]>
Changed-By: Antonio Radici <[email protected]>
Closes: 1132418 1135699
Changes:
mutt (2.3.2-1) unstable; urgency=medium
.
* New upstream release (Closes: 1132418)
- fixed the following CVEs as part of the above CVE-2026-43859
CVE-2026-43860 CVE-2026-43861 CVE-2026-43862 CVE-2026-43863
CVE-2026-43864 (Closes: 1135699)
* debian/watch: added the new updated path to check for new versions.
* debian/patches: all refreshed
Checksums-Sha1:
9208c19649eb84367c5e16d905d22121e6529d5b 2299 mutt_2.3.2-1.dsc
b46a886951aebfab556755882841ec36f252c350 5570204 mutt_2.3.2.orig.tar.gz
f975367952a529884e78df633e6ef475fa34c34a 833 mutt_2.3.2.orig.tar.gz.asc
764b8671ab7c1ce63d7b992d6dfbde0058611ab7 62108 mutt_2.3.2-1.debian.tar.xz
c130aa6214e9aca24ce6d98f07b7552dbbb8cdb9 8363 mutt_2.3.2-1_amd64.buildinfo
Checksums-Sha256:
a41730baf5e01353dd04cfaac0160d772eed4e94ee29276aec7629db4bf2ece6 2299
mutt_2.3.2-1.dsc
9b4f7a442e41c057774ba7c36fa41aba2edd2e7a12a86031e6ebb113bab2c79e 5570204
mutt_2.3.2.orig.tar.gz
b4f791ab4650eed9e5521a66a6ba85519af8515ba40c14d90f28e3862b6479f4 833
mutt_2.3.2.orig.tar.gz.asc
f88f084f04eb234cfd4140c4a2997edd9adbbd00f7fa820f1ed8508720b83cdf 62108
mutt_2.3.2-1.debian.tar.xz
03f8b7a0e14619c6611097a325e047cbf12ad3380a7d2c6c7da6754fb40aaed8 8363
mutt_2.3.2-1_amd64.buildinfo
Files:
5bb108a4a7fdc6bdec231e8aefeb3e1f 2299 mail optional mutt_2.3.2-1.dsc
50f395705c3da65d4592119e982a7a23 5570204 mail optional mutt_2.3.2.orig.tar.gz
92d1b2f288452da5e1ae68051ef69d95 833 mail optional mutt_2.3.2.orig.tar.gz.asc
c372fea7c24f7bb568ec9f8b8ac8320d 62108 mail optional mutt_2.3.2-1.debian.tar.xz
1782c907f97c7e829c9baf93bf71c367 8363 mail optional
mutt_2.3.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEEQObYrBkA1SRrfOa1NcjIiHLLHu0FAmolqCMTHGFudG9uaW9A
ZGViaWFuLm9yZwAKCRA1yMiIcsse7R+2D/9zWjyoYh9VgIRT5zrgUKy4Ns8TNmzm
Av69r0BcoL7j0telDfGDK08w8wnFXotRdSMqtmiPsJRPLMCeaDsXPbi1tjECOBJ5
TrZ3K3utiwVYSg1ACxWLBmeXv2ePviMmpIK0/ANPg21P3xR0/curMLbbiYm4e3Ak
oBBNrHXsLO8hnVbeSmRJy+JFZlL6t/0tu7Jt3WIM0Sztrem13Y9YsVKLaclWRnlM
oLQsB/RXq2kLbwrApVS0umya1GmcSP8EeI5KG8lkXlCcIbXruulTM5/MOIDNhM2D
zj4+d4CxFZUXk7PTFkFguGEEc9Lr+5MfcXS1Lw+fOPG5c/8pwE16qISkp7KhzhfU
bT7qtRQFpn3T0Cd00Ua3INHH6oH6lCUiYHNpPe35uZvrHfoiNusUPu4SqVS2Lp2P
KNGmIJW+qBdRBaRy8pEXN4dshX3l4Oq99jzcgRmsNs6bUeytogBGWZzSELRBlfgD
fj7hkmbGUECxCAm4EmnVGOXMukXEfq19zYZOnibRoyOF5sDbunjDnCIa4NAmjlCX
k/NBxbkT22W3uWc2/dnoY3FAps4Ofva/hY5cHKwd5u2aqLR8pQIcwox0PfLIVfMU
tubR7+NZIKnEAwMcxzdAAcY/XxJS71xk/ylb+xfJqU986G12KTa0cDtIvYdIlG2L
33ghk/Bn2nCWrg==
=653c
-----END PGP SIGNATURE-----
pgpXXkf8dUX9_.pgp
Description: PGP signature
--- End Message ---