Your message dated Sat, 04 Jul 2026 15:47:26 +0000
with message-id <[email protected]>
and subject line Bug#1135699: fixed in mutt 2.2.13-1+deb13u1
has caused the Debian Bug report #1135699,
regarding mutt: CVE-2026-43859 CVE-2026-43860 CVE-2026-43861 CVE-2026-43862
CVE-2026-43863 CVE-2026-43864
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135699: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135699
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: mutt
Version: 2.2.13-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for mutt.
CVE-2026-43859[0]:
| mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the
| IMAP auth_cram MD5 digest.
CVE-2026-43860[1]:
| mutt before 2.3.2 sometimes truncates the hash_passwd by one byte
| for IMAP auth_cram MD5 digest.
CVE-2026-43861[2]:
| mutt before 2.3.2 does not check for '\0' in url_pct_decode.
CVE-2026-43862[3]:
| In mutt before 2.3.2, the imap_auth_gss security level is
| mishandled.
CVE-2026-43863[4]:
| mutt before 2.3.2 has an infinite loop in data_object_to_stream in
| crypt-gpgme.c.
CVE-2026-43864[5]:
| mutt before 2.3.2 has a show_sig_summary NULL pointer dereference.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-43859
https://www.cve.org/CVERecord?id=CVE-2026-43859
[1] https://security-tracker.debian.org/tracker/CVE-2026-43860
https://www.cve.org/CVERecord?id=CVE-2026-43860
[2] https://security-tracker.debian.org/tracker/CVE-2026-43861
https://www.cve.org/CVERecord?id=CVE-2026-43861
[3] https://security-tracker.debian.org/tracker/CVE-2026-43862
https://www.cve.org/CVERecord?id=CVE-2026-43862
[4] https://security-tracker.debian.org/tracker/CVE-2026-43863
https://www.cve.org/CVERecord?id=CVE-2026-43863
[5] https://security-tracker.debian.org/tracker/CVE-2026-43864
https://www.cve.org/CVERecord?id=CVE-2026-43864
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: mutt
Source-Version: 2.2.13-1+deb13u1
Done: Moritz Mühlenhoff <[email protected]>
We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Moritz Mühlenhoff <[email protected]> (supplier of updated mutt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 11 Jun 2026 23:05:00 +0200
Source: mutt
Architecture: source
Version: 2.2.13-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Mutt maintainers <[email protected]>
Changed-By: Moritz Mühlenhoff <[email protected]>
Closes: 1135699
Changes:
mutt (2.2.13-1+deb13u1) trixie; urgency=medium
.
* CVE-2026-43859 CVE-2026-43860 CVE-2026-43861 CVE-2026-43862
CVE-2026-43863 CVE-2026-43864 (Closes: #1135699)
Checksums-Sha1:
abb9cd80a838527f91b3bd7f3df7eb424bc852a3 2320 mutt_2.2.13-1+deb13u1.dsc
b2fae333a9833b4b21c4d9282f6cd4d2cb9b0656 63524
mutt_2.2.13-1+deb13u1.debian.tar.xz
a49cec86b9dbd86ee0550df3f4298c8b657fd368 8661
mutt_2.2.13-1+deb13u1_amd64.buildinfo
Checksums-Sha256:
f1dc8b9de733f1f1e2f67267ebdd0b75578efa99bc0bde75dc543475d8ebe4dc 2320
mutt_2.2.13-1+deb13u1.dsc
6cea9cfcb2404056c8a9caa90213f6cb98e8beef9a9bc5a3e5bdcefeef50772d 63524
mutt_2.2.13-1+deb13u1.debian.tar.xz
3188a1e5a4b2ec2465dc770f69463612ff5f4f7d7fe491283b49244b8db30f1d 8661
mutt_2.2.13-1+deb13u1_amd64.buildinfo
Files:
63c6cff12341dc39a65a2a71f00d890e 2320 mail optional mutt_2.2.13-1+deb13u1.dsc
142d812f220bb17e9a97aae37ac9b05a 63524 mail optional
mutt_2.2.13-1+deb13u1.debian.tar.xz
7c303849f0bf5e07841cc6f236b7547f 8661 mail optional
mutt_2.2.13-1+deb13u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmowYX8ACgkQEMKTtsN8
TjYWjhAAkHjXz/zzPRBJjuQFH93gqbMNp7buOBM/Lu56RGWFC2U+gxp5agCduR7y
3wGyFLYAjFkULadAyDHGTO0xiWazc61xJ6IrZjvZEhIP512CnxamDRhSZtEf9bR3
kxxspWYCZkFvmgWts6ZhDUuDOrfwqFHbdutl5mvX/JTyBJbcE67+yYjzUaUjCFjU
lO/q5pubVtdcyY90w4HyhsJ0WHOS+sl+vWR1wLupX8YJV2lq5P+hDhkWkomINUA4
w1y61JO50b/JXaiMvHg9Aha3cHW41Tq2wDs4OykfQTV8UHBY3QPIqfcoA7AebIpU
J5MmCLc4/BIwvuEajd8/p9goV8B2mvpBagyu0KUM7u8vstfzQAOU5frya8OmOrvT
yneBkUFue2VAju6RBikbX3rnNNzxuB/DpDHxubfrVKMGopgy6aP+gNhtaDEYYLt+
OR0wtgCPAcujpB+aJZqymAkTRpL7rPnO+XgoMnMP1aVNkPshkT6jMxGpvMxw4vZu
jVJK9UT7PW3FP4OVb7Yu6fUZrK8JBc0S1vWhuT2zWL7YVYLuJCQKX1H5GsRcsBFR
EV9mN352VqxtQCSmT0t1aHvY0fwYfqqbd9xyMSQ5dwreyDQP2v3SgEGF2u+DAyFB
RHkfdM1WCplbL2R/i4etAMksIjtKOeDlKMK298dEffccoKtb5Yo=
=znGu
-----END PGP SIGNATURE-----
pgpRPFcLRSMWS.pgp
Description: PGP signature
--- End Message ---