Package: cron Version: 3.0pl1-134 Severity: serious File: cron X-Debbugs-Cc: sm...@debian.org
This change: https://salsa.debian.org/debian/cron/-/blob/master/debian/patches/features/Add-MAILFROM-environment-variable.patch added a MAILFROM envvar. It also adds a whitelist filter to both MAILFROM and MAILTO (which it fails to document in debian/cron.NEWS). Crucially, this now excludes the '=' character, among others. Since email localparts with embedded key=value assignments are frequently used to set variables like severity or category in ticketing / workflow systems, this is going to break existing installations. (It definitely will do so at my employer.) At minimum this needs to be documented. Ideally, the set of allowed characters should be expanded.