Security update for mutt

Announcement ID:	SUSE-SU-2026:2300-1
Release Date:	2026-06-08T13:54:59Z
Rating:	moderate
References:	bsc#1263892 bsc#1263893 bsc#1263894 bsc#1263895 bsc#1263896 bsc#1263897 bsc#1264047
Cross-References:	CVE-2026-43859 CVE-2026-43860 CVE-2026-43861 CVE-2026-43862 CVE-2026-43863 CVE-2026-43864
CVSS scores:	CVE-2026-43859 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2026-43859 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-43859 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-43860 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2026-43860 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-43860 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-43861 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2026-43861 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-43861 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-43862 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVE-2026-43862 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-43862 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2026-43863 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-43863 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2026-43863 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-43864 ( SUSE ): 2.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-43864 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2026-43864 ( NVD ): 2.5 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Affected Products:	SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves six vulnerabilities and has one security fix can now be installed.

Description:

This update for mutt fixes the following issues

• CVE-2026-43859: strfcpy used instead of memcpy for the IMAP auth_cram MD5 digest (bsc#1263897).
• CVE-2026-43860: truncation of hash_passwd by one byte for IMAP auth_cram MD5 digest (bsc#1263896).
• CVE-2026-43861: missing check for \0 in url_pct_decode (bsc#1263895).
• CVE-2026-43862: mishandling of the imap_auth_gss security level (bsc#1263894).
• CVE-2026-43863: infinite loop in data_object_to_stream in crypt-gpgme.c (bsc#1263893).
• CVE-2026-43864: NULL pointer dereference in function show_sig_summary (bsc#1263892).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-2300=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • mutt-1.10.1-55.33.1
  • mutt-debuginfo-1.10.1-55.33.1
  • mutt-debugsource-1.10.1-55.33.1

References:

• https://www.suse.com/security/cve/CVE-2026-43859.html
• https://www.suse.com/security/cve/CVE-2026-43860.html
• https://www.suse.com/security/cve/CVE-2026-43861.html
• https://www.suse.com/security/cve/CVE-2026-43862.html
• https://www.suse.com/security/cve/CVE-2026-43863.html
• https://www.suse.com/security/cve/CVE-2026-43864.html
• https://bugzilla.suse.com/show_bug.cgi?id=1263892
• https://bugzilla.suse.com/show_bug.cgi?id=1263893
• https://bugzilla.suse.com/show_bug.cgi?id=1263894
• https://bugzilla.suse.com/show_bug.cgi?id=1263895
• https://bugzilla.suse.com/show_bug.cgi?id=1263896
• https://bugzilla.suse.com/show_bug.cgi?id=1263897
• https://bugzilla.suse.com/show_bug.cgi?id=1264047