Published: 16 March 2011
Mutt does not verify that the smtps server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL SMTP server via an arbitrary certificate, a different vulnerability than CVE-2009-3766.
debian may have used an incomplete patch from the upstream bug.
This is not specific to SMTPS. It is in the common code that uses GnuTLS, meaning that the IMAPS and POP3S protocols are also affected. Debian is carrying a fix that upstream has not applied. It doesn't look like this issue is fixed upstream. RHEL is also carrying the same fix. The fix may be the cause of a mutt sidebar related bug (a feature patch that debian and ubuntu carry) After more investigation, the sidebar related bug was preexisting. Hardy's version of mutt has a considerably different mutt_ssl_gnutls.c and my testing has shown that it is not affected.