Debian 2.1: majordomo vulnerability

    Date03 Jun 2000
    CategoryDebian
    3015
    Posted ByLinuxSecurity Advisories
    Any local user can trick majordomo into executing arbitrary code or to create or write files as the majordomo user anywhere on the filesystem.
    -----BEGIN PGP SIGNED MESSAGE-----
    
    - ------------------------------------------------------------------------
    Debian Security Advisory                             This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                         Wichert Akkerman
    June  3, 2000
    - ------------------------------------------------------------------------
    
    
    Package        : majordomo
    Problem type   : local exploit
    Debian-specific: no
    
    The majordomo package as shipped in the non-free section accompanying
    Debian GNU/Linux 2.1/slink allows any local user to trick majordomo into
    executing arbitrary code or to create or write files as the majordomo user
    anywhere on the filesystem.
    
    This is a documented issue and the advised work around it to either have
    no untrusted users on a system running majordomo or to use a setuid
    wrapper that the MTA delivery agent can run.
    suboptimal solution.
    
    We feel that those options are not a good solution, but unfortunately the
    majordomo license does not allow us to fix these problems and distribute a
    fixed version. As a result we have decided to remove majordomo from our
    archives.
    
    If you are using majordomo we recommend that you replace it with one
    of the many other mailing-list tools available such as fml, mailman
    or smartlist.
    
    - --
    - ----------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable updates
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3ia
    Charset: noconv
    
    iQB1AwUBOTlZ/6jZR/ntlUftAQFQ6QL/XyB4EprpjY4D2eusMd9PR+UKKh0jI7Zi
    IMWf0Avik9wN6HWba64kODvePxKChnh7z2jvG3hz8CIZr6siYsTuFWtu2UkVhdZj
    THnYqB87Sqp7XIdO46R7qjnLU0KibPqQ
    =w/uo
    -----END PGP SIGNATURE-----
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"7","type":"x","order":"1","pct":58.33,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":25,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.