Escape sequences in mail input enabling remote code execution

The mail tool from mailutils executes commands read from stdin if the line begins with the escape sequence ~! or ~| as documented here:
https://mailutils.org/manual/html_section/mail.html#Executing-Shell-Commands

Before GNU mailutils 3.13 this also applies / applied to non-interactive uses of mail, which may lead to remote code execution. This caused CVE-2021-32749 in fail2ban, described here:
https://github.com/fail2ban/fail2ban/security/advisories/GHSA-m985-3f3v-cwmm

The issue was fixed in mailutils upstream here:
https://savannah.gnu.org/bugs/?60937

Ubuntu versions up to (including) 21.10 still contain an unpatched mailutils package. I could reproduce the issue with this command from the fail2ban security advisory on Ubuntu 20.04:
printf "RCE: next line will execute command\n~! echo RCE is here\n" | mail -s "RCE" "$mail_address"

Going by the changelogs, Ubuntu's fail2ban packages up to 21.04 are also unpatched. Debian patched this issue in fail2ban 0.11.2-2 (at least that's my interpretation of "Fix a problem with mail" in the changelog a few days before the fail2ban security advisory release, combined with the following bug report linked below) and reverted that patch in fail2ban 0.11.2-5 because it caused problems with bsd-mailx and they had mailutils 3.13 by then:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991449

I propose fixing this issue in mailutils for impish and older. jammy already has mailutils 3.13 with the upstream patch.

Note:
I confirmed the proof of concept from the fail2ban advisory (the `printf | mail` above) worked on focal and didn't work on jammy. I didn't personally try to trigger this through fail2ban. I don't have an old enough system with fail2ban currently set up and don't even use it's mail features, but thought I should report this anyhow after stumbling upon it on the fail2ban GitHub pages.