Control: forwarded -1 https://github.com/fail2ban/fail2ban/issues/3059 https://savannah.gnu.org/bugs/?60937 https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=4befcfd015256c568121653038accbd84820198f
On Fri, 23 Jul 2021 19:44:08 +0000 (UTC) Thorsten Alteholz wrote: > According to upstreams security advisory [1] CVE-2021-32749 only affects > systems where the mail utility from the mailutils package is installed. > The recommended fix [2] is to add a new parameter "-E" to the invocation > of mail. Unfortunately this fix breaks other implementations of mail, > especially the version from package bsd-mailx. Thus upstream recommends in > the Workaround section of the advisory to only manually patch the > systems where the mailutils-mail is used. > > According to popcon the numbers of systems where mailutils-mail and > bsd-mailx-mail are used is about even. So applying upstreams fix now > breaks about half of the systems using fail2ban. > > The corresponding upstream bug #3069 [3] did not get any attention yet. The bug got forwarded to mailutils upstream and fixed there by disabling the escape sequence in non-interactive situations. The next step is for fail2ban to revert the workaround for the appropriate versions of mail, I've suggested how that they should do that on the upstream bug #3059. -- bye, pabs https://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
