An undocumented feature in mailx (the implementation of the mail command) allows the execution of arbitrary commands if the email address is obtained from a remote source (CVE-2014-7844)
I think it was fixed upstream and we can import the package: https://security-tracker.debian.org/tracker/DLA-113-1
repo_admin.py --cherrypick -p bsd-mailx -r 3.2 -s errata3.2-4 --releasedest 3.1 --dest extsec3.1 # 8.1.2-0.20100314cvs-1+deb6u1 Package: bsd-mailx Version: 8.1.2-0.20100314cvs-1.10.201605251209 Branch: ucs_3.1-0 Scope: extsec3.1 r69528 | Bug #37371: bsd-mailx branches/ucs-3.1/ucs-3.1-1/doc/errata/staging/bsd-mailx.txt
* Imported version is the latest in squeeze-lts * There are no additional known vulnerabilities * Package is updatable and sending mail via /usr/sbin/mail (bsd-mailx) works * Advisory Ok
<http://errata.software-univention.de/ucs/3.1/284.html>