January 29, 2020 7:00 PM, "Stuart Henderson" <s...@spacehopper.org> wrote:
> > I hesitate to mention it in case it puts anyone off from updating (DON'T > DO THAT, YOU SHOULD UPDATE!) but it is easy to configure to avoid the > root-escalation aspect of this bug - and many readers will already be > doing this, especially if they maintain multiple systems: forward root's > mail (via /root/.forward or aliases) off the machine. I haven't tested > but presume the same bug also allows running as another (non-root) user > so it's not a complete workaround, but is something that can be done > quickly while planning a more complicated upgrade. > that's not sufficient because for mbox delivery, the privilege drop is done by the mail.local utility. there are mitigations, like switching to maildir or blocking mail-from with a builtin filter, but I would not advise doing that. As you said: DON'T DO THAT, update is the only safe path