tags 997840 + security thanks Hi Christian,
El dl. 25 de 10 de 2021 a les 19:51 +0200, en/na Christian Franke va escriure: > Package: mailutils > Version: 1:3.10-3 > > Steps to reproduce: > > $ printf 'test:\n~! echo ALERT\nbye!\n' | mail TO_SOME_ADDRESS > > Observed: "ALERT" is printed to standard output. > Expected: String "~! echo ALERT" shall be send as second line of the > mail. > > Command escapes should only be processed if used interactively. > > Related security issues: > https://security-tracker.debian.org/tracker/CVE-2021-32749 > https://www.smartmontools.org/ticket/1535 > > Fixed in mailutils 3.13, see https://savannah.gnu.org/bugs/?60937 > If possible, please backport the fix to (old)stable. Thanks, I'll see with the release team if this goes through Debian security or via the next point release. -- Jordi Mallach <jo...@debian.org> Debian Project
