On Thu, Jun 18, 2020 at 10:41:37PM -0700, Josh Triplett wrote: > Package: mutt > Version: 1.14.3-1 > Severity: important > > "important" because it makes a previously working configuration > unusable. > > The fix for CVE-2020-14093 makes it so that when using a > preauthenticated connection (using `set tunnel` to SSH to the IMAP > server), mutt just prints "Encrypted connection unavailable" and refuses > the connection. An strace shows that mutt successfully runs SSH and gets > the preauthenticated IMAP connection. > > I do not have any ssl-related options set. Best guess: the default > ssl_starttls=yes makes mutt think it should starttls over preauth, which > it now avoids due to the CVE.
I can confirm that setting ssl_starttls=no allows preauthenticated IMAP connections using `set tunnel` to work again.