{"id":"USN-2455-1","summary":"bsd-mailx vulnerability","details":"It was discovered that bsd-mailx contained a feature that allowed\nsyntactically valid email addresses to be treated as shell commands. A\nremote attacker could possibly use this issue with a valid email address to\nexecute arbitrary commands.\n\nThis functionality has now been disabled by default, and can be re-enabled\nwith the \"expandaddr\" configuration option. This update alone does not\nremove all possibilities of command execution. In environments where\nscripts use mailx to process arbitrary email addresses, it is recommended\nto modify them to use a \"--\" separator before the address to properly\nhandle those that begin with \"-\". In addition, specifying sendmail options\nafter the \"--\" separator is no longer supported, existing scripts may need\nto be modified to use the \"-a\" option instead.\n","modified":"2026-02-10T04:40:51Z","published":"2015-01-07T19:26:56Z","related":["UBUNTU-CVE-2014-7844"],"upstream":["CVE-2014-7844","UBUNTU-CVE-2014-7844"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2455-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-7844"}],"affected":[{"package":{"name":"bsd-mailx","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/bsd-mailx@8.1.2-0.20131005cvs-1ubuntu0.14.04.1?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8.1.2-0.20131005cvs-1ubuntu0.14.04.1"}]}],"versions":["8.1.2-0.20111106cvs-1ubuntu1","8.1.2-0.20131005cvs-1"],"ecosystem_specific":{"binaries":[{"binary_name":"bsd-mailx","binary_version":"8.1.2-0.20131005cvs-1ubuntu0.14.04.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2455-1.json","cves_map":{"ecosystem":"Ubuntu:14.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-7844"}]}}}],"schema_version":"1.7.3"}