#1135699 mutt: CVE-2026-43859 CVE-2026-43860 CVE-2026-43861 CVE-2026-43862 CVE-2026-43863 CVE-2026-43864

Package:
src:mutt
Source:
src:mutt
Submitter:
Salvatore Bonaccorso
Date:
2026-06-07 17:37:03 UTC
Severity:
normal
Tags:
#1135699#5
Date:
2026-05-04 20:45:08 UTC
From:
To:
Hi,

The following vulnerabilities were published for mutt.

CVE-2026-43859[0]:
| mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the
| IMAP auth_cram MD5 digest.


CVE-2026-43860[1]:
| mutt before 2.3.2 sometimes truncates the hash_passwd by one byte
| for IMAP auth_cram MD5 digest.


CVE-2026-43861[2]:
| mutt before 2.3.2 does not check for '\0' in url_pct_decode.


CVE-2026-43862[3]:
| In mutt before 2.3.2, the imap_auth_gss security level is
| mishandled.


CVE-2026-43863[4]:
| mutt before 2.3.2 has an infinite loop in data_object_to_stream in
| crypt-gpgme.c.


CVE-2026-43864[5]:
| mutt before 2.3.2 has a show_sig_summary NULL pointer dereference.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-43859
https://www.cve.org/CVERecord?id=CVE-2026-43859
[1] https://security-tracker.debian.org/tracker/CVE-2026-43860
https://www.cve.org/CVERecord?id=CVE-2026-43860
[2] https://security-tracker.debian.org/tracker/CVE-2026-43861
https://www.cve.org/CVERecord?id=CVE-2026-43861
[3] https://security-tracker.debian.org/tracker/CVE-2026-43862
https://www.cve.org/CVERecord?id=CVE-2026-43862
[4] https://security-tracker.debian.org/tracker/CVE-2026-43863
https://www.cve.org/CVERecord?id=CVE-2026-43863
[5] https://security-tracker.debian.org/tracker/CVE-2026-43864
https://www.cve.org/CVERecord?id=CVE-2026-43864

Regards,
Salvatore

#1135699#10
Date:
2026-06-07 17:34:37 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
mutt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1135699@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antonio Radici <antonio@debian.org> (supplier of updated mutt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 07 Jun 2026 18:55:21 +0200
Source: mutt
Architecture: source
Version: 2.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Mutt maintainers <mutt@packages.debian.org>
Changed-By: Antonio Radici <antonio@debian.org>
Closes: 1132418 1135699
Changes:
 mutt (2.3.2-1) unstable; urgency=medium
 .
   * New upstream release (Closes: 1132418)
     - fixed the following CVEs as part of the above CVE-2026-43859
       CVE-2026-43860 CVE-2026-43861 CVE-2026-43862 CVE-2026-43863
       CVE-2026-43864 (Closes: 1135699)
   * debian/watch: added the new updated path to check for new versions.
   * debian/patches: all refreshed
Checksums-Sha1:
 9208c19649eb84367c5e16d905d22121e6529d5b 2299 mutt_2.3.2-1.dsc
 b46a886951aebfab556755882841ec36f252c350 5570204 mutt_2.3.2.orig.tar.gz
 f975367952a529884e78df633e6ef475fa34c34a 833 mutt_2.3.2.orig.tar.gz.asc
 764b8671ab7c1ce63d7b992d6dfbde0058611ab7 62108 mutt_2.3.2-1.debian.tar.xz
 c130aa6214e9aca24ce6d98f07b7552dbbb8cdb9 8363 mutt_2.3.2-1_amd64.buildinfo
Checksums-Sha256:
 a41730baf5e01353dd04cfaac0160d772eed4e94ee29276aec7629db4bf2ece6 2299 mutt_2.3.2-1.dsc
 9b4f7a442e41c057774ba7c36fa41aba2edd2e7a12a86031e6ebb113bab2c79e 5570204 mutt_2.3.2.orig.tar.gz
 b4f791ab4650eed9e5521a66a6ba85519af8515ba40c14d90f28e3862b6479f4 833 mutt_2.3.2.orig.tar.gz.asc
 f88f084f04eb234cfd4140c4a2997edd9adbbd00f7fa820f1ed8508720b83cdf 62108 mutt_2.3.2-1.debian.tar.xz
 03f8b7a0e14619c6611097a325e047cbf12ad3380a7d2c6c7da6754fb40aaed8 8363 mutt_2.3.2-1_amd64.buildinfo
Files:
 5bb108a4a7fdc6bdec231e8aefeb3e1f 2299 mail optional mutt_2.3.2-1.dsc
 50f395705c3da65d4592119e982a7a23 5570204 mail optional mutt_2.3.2.orig.tar.gz
 92d1b2f288452da5e1ae68051ef69d95 833 mail optional mutt_2.3.2.orig.tar.gz.asc
 c372fea7c24f7bb568ec9f8b8ac8320d 62108 mail optional mutt_2.3.2-1.debian.tar.xz
 1782c907f97c7e829c9baf93bf71c367 8363 mail optional mutt_2.3.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEQObYrBkA1SRrfOa1NcjIiHLLHu0FAmolqCMTHGFudG9uaW9A
ZGViaWFuLm9yZwAKCRA1yMiIcsse7R+2D/9zWjyoYh9VgIRT5zrgUKy4Ns8TNmzm
Av69r0BcoL7j0telDfGDK08w8wnFXotRdSMqtmiPsJRPLMCeaDsXPbi1tjECOBJ5
TrZ3K3utiwVYSg1ACxWLBmeXv2ePviMmpIK0/ANPg21P3xR0/curMLbbiYm4e3Ak
oBBNrHXsLO8hnVbeSmRJy+JFZlL6t/0tu7Jt3WIM0Sztrem13Y9YsVKLaclWRnlM
oLQsB/RXq2kLbwrApVS0umya1GmcSP8EeI5KG8lkXlCcIbXruulTM5/MOIDNhM2D
zj4+d4CxFZUXk7PTFkFguGEEc9Lr+5MfcXS1Lw+fOPG5c/8pwE16qISkp7KhzhfU
bT7qtRQFpn3T0Cd00Ua3INHH6oH6lCUiYHNpPe35uZvrHfoiNusUPu4SqVS2Lp2P
KNGmIJW+qBdRBaRy8pEXN4dshX3l4Oq99jzcgRmsNs6bUeytogBGWZzSELRBlfgD
fj7hkmbGUECxCAm4EmnVGOXMukXEfq19zYZOnibRoyOF5sDbunjDnCIa4NAmjlCX
k/NBxbkT22W3uWc2/dnoY3FAps4Ofva/hY5cHKwd5u2aqLR8pQIcwox0PfLIVfMU
tubR7+NZIKnEAwMcxzdAAcY/XxJS71xk/ylb+xfJqU986G12KTa0cDtIvYdIlG2L
33ghk/Bn2nCWrg==
=653c
-----END PGP SIGNATURE-----