Seems no-one else has posted this yet, so here goes: A Bugtraq posting explains how local users can gain root access on any RH6.x system by exploiting a bad interaction between /bin/mail's undocumented "interactive" feature, and suidperl's tendency to mail root when it detects a changed script. The URL is posted into the bugzilla URL field above. Mail should not allow shell escapes in a SUID context. (It should probably document the "interactive" feature as well)
This duplicates bug ids 15630 and 15641
*** This bug has been marked as a duplicate of 15625 ***