On Thu, Jun 18, 2020 at 11:59:38PM -0600, Stuart Henderson wrote: > CVSROOT: /cvs > Module name: ports > Changes by: st...@cvs.openbsd.org 2020/06/18 23:59:38 > > Modified files: > mail/mutt : Makefile distinfo > > Log message: > update to mutt-1.14.4, fixes possible machine-in-the-middle response > injection attack when using STARTTLS with IMAP, POP3, and SMTP.
Unfortunatly this breaks my configuration, that uses an ssh tunnels to connect to the imap server ie : account-hook imaps://imap.herrb.eu 'set tunnel="ssh -q imap.herrb.eu /usr/local/libexec/dovecot/imap"' mutt exits with 'Encrypted connection unavailable'. I've not seen any mention of 'set tunnel' beeing deprecated or broken in mutt's release notes. I guess it is bound to the MITM security issue. Wondering if this kind of setup is vulnerable, or if it's a false positive. I'm back to typing a password to read my mail for now... -- Matthieu Herrb
