Synopsis: Moderate: mailx security update
Advisory ID: SLSA-2014:1999-1
Issue Date: 2014-12-16
CVE Numbers: CVE-2004-2771
CVE-2014-7844
—
A flaw was found in the way mailx handled the parsing of email addresses.
A syntactically valid email address could allow a local attacker to cause
mailx to execute arbitrary shell commands through shell meta-characters
and the direct command execution functionality. (CVE-2004-2771,
CVE-2014-7844)
Note: Applications using mailx to send email to addresses obtained from
untrusted sources will still remain vulnerable to other attacks if they
accept email addresses which start with “-” (so that they can be confused
with mailx options). To counteract this issue, this update also introduces
the “–” option, which will treat the remaining command line arguments as
email addresses.
—
SL6
x86_64
mailx-12.4-8.el6_6.x86_64.rpm
mailx-debuginfo-12.4-8.el6_6.x86_64.rpm
i386
mailx-12.4-8.el6_6.i686.rpm
mailx-debuginfo-12.4-8.el6_6.i686.rpm
SL7
x86_64
mailx-12.5-12.el7_0.x86_64.rpm
mailx-debuginfo-12.5-12.el7_0.x86_64.rpm
– Scientific Linux Development Team
