Synopsis: Moderate: mutt security update Issue date: 2007-06-04 CVE Names: CVE-2006-5297 CVE-2007-1558 CVE-2007-2683 A flaw was found in the way Mutt used temporary files on NFS file systems. Due to an implementation issue in the NFS protocol, Mutt was not able to exclusively open a new file. A local attacker could conduct a time-dependent attack and possibly gain access to e-mail attachments opened by a victim. (CVE-2006-5297) A flaw was found in the way Mutt processed certain APOP authentication requests. By sending certain responses when mutt attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Mutt handled certain characters in gecos fields which could lead to a buffer overflow. The gecos field is an entry in the password database typically used to record general information about the user. A local attacker could give themselves a carefully crafted "Real Name" which could execute arbitrary code if a victim uses Mutt and expands the attackers alias. (CVE-2007-2683) SL 3.0.x SRPMS: mutt-1.4.1-5.el3.src.rpm i386: mutt-1.4.1-5.el3.i386.rpm x86_64: mutt-1.4.1-5.el3.x86_64.rpm SL 4.x SRPMS: mutt-1.4.1-12.0.3.el4.src.rpm i386: mutt-1.4.1-12.0.3.el4.i386.rpm x86_64: mutt-1.4.1-12.0.3.el4.x86_64.rpm SL 5.x SRPMS: mutt-1.4.2.2-3.0.2.el5.src.rpm i386: mutt-1.4.2.2-3.0.2.el5.i386.rpm x86_64: mutt-1.4.2.2-3.0.2.el5.x86_64.rpm -Connie Sieh -Troy Dawson