This is a bug-fix release, addressing CVE-2022-1328: a buffer overread in the
uuencoded decoder routine. For more details please see GitLab ticket 404:
https://gitlab.com/muttmua/mutt/-/issues/404. The commit fixing this issue
is at e5ed080c00
Also fixed were a possible integer overflow issue in the general iconv and
rfc2047-conversion iconv functions. These are not believed to be exploitable.
which I will backport to -stable. the relevant bug was introduced in 1.9.0.
"When there is a hole in the header cache, the UID numbers are no
longer guaranteed to increase with the index. This can result in
incorrect msgset values being sent to the server."
if a port needs 2.x then set MODPY_VERSION=${MODPY_DEFAULT_VERSION_2}.
This commit doesn't change any versions currently used; it may be that
some ports have MODPY_DEFAULT_VERSION_2 but don't require it, those
should be cleaned up in the course of updating ports where possible.
Python module ports providing py3-* packages should still use
FLAVOR=python3 so that we don't have a mixture of dependencies some
using ${MODPY_FLAVOR} and others not.
This has a major version number bump due to some incompatible changes
in behaviour or defaults, although the code changes are less big than some
other "lesser" bumps.
See http://www.mutt.org/relnotes/2.0/ for details.
gnupg-1.4 is not developed actively anymore, and new software expects
a modern "gpg" executable, which leads to pointless patches in the ports
tree. Move the various users of security/gnupg2 to security/gnupg and
zap patches that forced the use of "gpg2".
Crusade started by edd@ (security/gnupg maintainer), gnupg->gnupg2 test
reports from semarie@, giovanni@ and solene@, input and bulk build by
sthen@. ok sthen@ edd@ (maintainer)
This is a bug-fix release fixing a problem resetting access times that snuck
in starting with 1.11.0. This only affected relative-path mailboxes, but
caused Mutt to "forget" new mail in mbox files.
Fix possible IMAP man-in-the-middle attack. No credentials are exposed,
but could result in unintended emails being "saved" to an attacker's
server. The $ssl_starttls quadoption is now used to check for an
unencrypted PREAUTH response from the server.
(the release also had a gnutls fix, but we don't use gnutls in the port).
