Synopsis:          Moderate: mailx security update
Advisory ID:       SLSA-2014:1999-1
Issue Date:        2014-12-16
CVE Numbers:       CVE-2004-2771
                   CVE-2014-7844
--

A flaw was found in the way mailx handled the parsing of email addresses.
A syntactically valid email address could allow a local attacker to cause
mailx to execute arbitrary shell commands through shell meta-characters
and the direct command execution functionality. (CVE-2004-2771,
CVE-2014-7844)

Note: Applications using mailx to send email to addresses obtained from
untrusted sources will still remain vulnerable to other attacks if they
accept email addresses which start with "-" (so that they can be confused
with mailx options). To counteract this issue, this update also introduces
the "--" option, which will treat the remaining command line arguments as
email addresses.
--

SL6
  x86_64
    mailx-12.4-8.el6_6.x86_64.rpm
    mailx-debuginfo-12.4-8.el6_6.x86_64.rpm
  i386
    mailx-12.4-8.el6_6.i686.rpm
    mailx-debuginfo-12.4-8.el6_6.i686.rpm
SL7
  x86_64
    mailx-12.5-12.el7_0.x86_64.rpm
    mailx-debuginfo-12.5-12.el7_0.x86_64.rpm

- Scientific Linux Development Team