Majordomo security problems

Ben Pfaff pfaffben@msu.edu
03 Jun 2000 15:42:13 -0400


Someone on this list recently mentioned that they're using
majordomo for mailing lists, so I'm forwarding this Debian
majordomo-related security announcement this way.

HTH,

Ben

------- Start of forwarded message -------
Resent-Date: Sat, 3 Jun 2000 15:21:59 -0400
Date: Sat, 3 Jun 2000 21:18:29 +0200
From: Wichert Akkerman <wichert@cistron.nl>
Message-Id: <200006031918.e53JITx02989@fog.mors.wiggy.net>
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] Majordomo will be removed
Reply-To: security@debian.org
Resent-Message-ID: <bbQH_D.A.6DD.2pVO5@murphy>
Resent-From: debian-security-announce@lists.debian.org
Resent-Sender: debian-security-announce-request@lists.debian.org
Resent-Bcc:

-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory                             security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
June  3, 2000
- ------------------------------------------------------------------------


Package        : majordomo
Problem type   : local exploit
Debian-specific: no

The majordomo package as shipped in the non-free section accompanying
Debian GNU/Linux 2.1/slink allows any local user to trick majordomo into
executing arbitrary code or to create or write files as the majordomo user
anywhere on the filesystem.

This is a documented issue and the advised work around it to either have
no untrusted users on a system running majordomo or to use a setuid
wrapper that the MTA delivery agent can run. 
suboptimal solution.

We feel that those options are not a good solution, but unfortunately the
majordomo license does not allow us to fix these problems and distribute a
fixed version. As a result we have decided to remove majordomo from our
archives.

If you are using majordomo we recommend that you replace it with one
of the many other mailing-list tools available such as fml, mailman
or smartlist.

- -- 
- ----------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable updates
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBOTlZ/6jZR/ntlUftAQFQ6QL/XyB4EprpjY4D2eusMd9PR+UKKh0jI7Zi
IMWf0Avik9wN6HWba64kODvePxKChnh7z2jvG3hz8CIZr6siYsTuFWtu2UkVhdZj
THnYqB87Sqp7XIdO46R7qjnLU0KibPqQ
=w/uo
-----END PGP SIGNATURE-----


--  
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



------- End of forwarded message -------