On Sat, Sep 09, 2023 at 10:23:32PM +0200, Salvatore Bonaccorso wrote: > Source: mutt > Version: 2.2.9-1 > Severity: grave > Tags: security upstream > Justification: user security hole > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerabilities were published for mutt. > > CVE-2023-4874[0]: > | Null pointer dereference when viewing a specially crafted email in > | Mutt >1.5.2 <2.2.12 > > > CVE-2023-4875[1]: > | Null pointer dereference when composing from a specially crafted > | draft message in Mutt >1.5.2 <2.2.12 > > Make sure to include all three commits referenced from [2], the last > one is technically not part of the two CVEs, but another crash found > by upstream. > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2023-4874 > https://www.cve.org/CVERecord?id=CVE-2023-4874 > [1] https://security-tracker.debian.org/tracker/CVE-2023-4875 > https://www.cve.org/CVERecord?id=CVE-2023-4875 > [2] > http://lists.mutt.org/pipermail/mutt-announce/Week-of-Mon-20230904/000056.html > > Please adjust the affected versions in the BTS as needed.
Thanks for raising this, I'm uploading the new packages with the fixes today.