DebianDEBIAN:DLA-113-1:43201[SECURITY] [DLA 113-1] bsd-mailx security update
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.9 High
AI Score
Confidence
High
0.031 Low
EPSS
Percentile
91.1%
Package : bsd-mailx
Version : 8.1.2-0.20100314cvs-1+deb6u1
CVE ID : CVE-2014-7844
It was discovered that bsd-mailx, an implementation of the "mail"
command, had an undocumented feature which treats syntactically valid
email addresses as shell commands to execute.
Users who need this feature can re-enable it using the "expandaddr" in
an appropriate mailrc file. This update also removes the obsolete -T
option. An older security vulnerability, CVE-2004-2771, had already
been addressed in the Debian's bsd-mailx package.
Note that this security update does not remove all mailx facilities
for command execution, though. Scripts which send mail to addresses
obtained from an untrusted source (such as a web form) should use the
"β" separator before the email addresses (which was fixed to work
properly in this update), or they should be changed to invoke
"mail -t" or "sendmail -i -t" instead, passing the recipient addresses
as part of the mail header.
For the oldstable distribution (squeeze), this problem has been fixed in
version 8.1.2-0.20100314cvs-1+deb6u1.
We recommend that you upgrade your bsd-mailx packages.
β
RaphaΓ«l Hertzog β Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Attachment:
signature.asc
Description: Digital signature
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 7 | sparc | bsd-mailx | <Β 8.1.2-0.20111106cvs-1+deb7u1 | bsd-mailx_8.1.2-0.20111106cvs-1+deb7u1_sparc.deb |
| Debian | 7 | kfreebsd-i386 | bsd-mailx | <Β 8.1.2-0.20111106cvs-1+deb7u1 | bsd-mailx_8.1.2-0.20111106cvs-1+deb7u1_kfreebsd-i386.deb |
| Debian | 6 | amd64 | bsd-mailx | <Β 8.1.2-0.20100314cvs-1+deb6u1 | bsd-mailx_8.1.2-0.20100314cvs-1+deb6u1_amd64.deb |
| Debian | 7 | all | bsd-mailx | <Β 8.1.2-0.20111106cvs-1+deb7u1 | bsd-mailx_8.1.2-0.20111106cvs-1+deb7u1_all.deb |
| Debian | 7 | powerpc | heirloom-mailx | <Β 12.5-2+deb7u1 | heirloom-mailx_12.5-2+deb7u1_powerpc.deb |
| Debian | 6 | all | bsd-mailx | <Β 8.1.2-0.20100314cvs-1+deb6u1 | bsd-mailx_8.1.2-0.20100314cvs-1+deb6u1_all.deb |
| Debian | 7 | ia64 | heirloom-mailx | <Β 12.5-2+deb7u1 | heirloom-mailx_12.5-2+deb7u1_ia64.deb |
| Debian | 6 | all | heirloom-mailx | <Β 12.4-2+deb6u1 | heirloom-mailx_12.4-2+deb6u1_all.deb |
| Debian | 7 | s390 | heirloom-mailx | <Β 12.5-2+deb7u1 | heirloom-mailx_12.5-2+deb7u1_s390.deb |
| Debian | 7 | s390 | bsd-mailx | <Β 8.1.2-0.20111106cvs-1+deb7u1 | bsd-mailx_8.1.2-0.20111106cvs-1+deb7u1_s390.deb |
Related
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.9 High
AI Score
Confidence
High
0.031 Low
EPSS
Percentile
91.1%