On Fri, Jun 19, 2020 at 04:04:37PM -0700, Josh Triplett wrote: > On Thu, Jun 18, 2020 at 10:41:37PM -0700, Josh Triplett wrote: > > Package: mutt > > Version: 1.14.3-1 > > Severity: important > > > > "important" because it makes a previously working configuration > > unusable. > > > > The fix for CVE-2020-14093 makes it so that when using a > > preauthenticated connection (using `set tunnel` to SSH to the IMAP > > server), mutt just prints "Encrypted connection unavailable" and refuses > > the connection. An strace shows that mutt successfully runs SSH and gets > > the preauthenticated IMAP connection. > > > > I do not have any ssl-related options set. Best guess: the default > > ssl_starttls=yes makes mutt think it should starttls over preauth, which > > it now avoids due to the CVE. > > I can confirm that setting ssl_starttls=no allows preauthenticated IMAP > connections using `set tunnel` to work again. >
Thanks for the report, I'll file a bug upstream.