Test ID:	1.3.6.1.4.1.25623.1.0.842071
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-2455-1)
Summary:	The remote host is missing an update for the 'bsd-mailx' package(s) announced via the USN-2455-1 advisory.
Description:	Summary: The remote host is missing an update for the 'bsd-mailx' package(s) announced via the USN-2455-1 advisory. Vulnerability Insight: It was discovered that bsd-mailx contained a feature that allowed syntactically valid email addresses to be treated as shell commands. A remote attacker could possibly use this issue with a valid email address to execute arbitrary commands. This functionality has now been disabled by default, and can be re-enabled with the 'expandaddr' configuration option. This update alone does not remove all possibilities of command execution. In environments where scripts use mailx to process arbitrary email addresses, it is recommended to modify them to use a '--' separator before the address to properly handle those that begin with '-'. In addition, specifying sendmail options after the '--' separator is no longer supported, existing scripts may need to be modified to use the '-a' option instead. Affected Software/OS: 'bsd-mailx' package(s) on Ubuntu 10.04, Ubuntu 12.04, Ubuntu 14.04, Ubuntu 14.10. Solution: Please install the updated package(s). CVSS Score: 7.2 CVSS Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-7844 http://linux.oracle.com/errata/ELSA-2014-1999.html http://rhn.redhat.com/errata/RHSA-2014-1999.html http://seclists.org/oss-sec/2014/q4/1066 http://www.debian.org/security/2014/dsa-3104 http://www.debian.org/security/2014/dsa-3105
Copyright	Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.