------------------------------------------------------------------------
BCSA 016
Badly Coded, Inc. Security Advisory                 September 23rd, 2019
------------------------------------------------------------------------
BCSA-016: Debug feature in BCMTA 2.0 allows root execution

Affected versions: 2.0
Fixed versions: 2.1 and later

It has come to our attention that version 2.0 of BCMTA retained an
option, originally intended just for debugging use, which caused
directly to a shell instead of being delivered normally. In the
default configuration where BCMTA runs as root, this allows local
privilege escalation. We have disabled this feature starting in
version 2.1 of BCMTA. We would like to acknowledge a number of
students from the University of Minnesota's Computer Science and
Engineering 5271 course who reported this vulnerability.

All BCMTA users are recommended to upgrade at their earliest
convenience.