| Description: | The mailx packages contain a mail user agent that is used to manage mailusing scripts.A flaw was found in the way mailx handled the parsing of email addresses.A syntactically valid email address could allow a local attacker to causemailx to execute arbitrary shell commands through shell meta-characters andthe direct command execution functionality. (CVE-2004-2771, CVE-2014-7844)Note: Applications using mailx to send email to addresses obtained fromuntrusted sources will still remain vulnerable to other attacks if theyaccept email addresses which start with "-" (so that they can be confusedwith mailx options). To counteract this issue, this update also introducesthe "--" option, which will treat the remaining command line arguments asemail addresses.All mailx users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. |