Howdy all,
We’ve rolled out a new version of the procmail-wrapper
package for all platforms due to a privilege escalation bug, where any authenticated shell user could provide their own environment to procmail via the wrapper, which allowed executing code as root. This package is used in the default mail configuration for all Virtualmin versions on all platforms.
Please upgrade immediately to version 1.1 (there are a couple of extra 1.1 releases in the Debian/Ubuntu repos, due to some 32 vs 64 bit compatibility issues in my initial couple of builds, so there’s a 1.1-3 version there, which is the one you want).
This update is especially important if you host any untrusted users on your Virtualmin systems, but even if you don’t, a privilege escalation bug is still high risk; it can make a user-level exploit, such as a buggy web application, much more dangerous.
Thanks to John Lightsey for responsibly reporting this bug and following up with confirmation of the fix.
Cheers,
Joe