Brent Chapman wrote:
>The message went to Majordomo developers (the Majordomo-Workers)
>mailing list about 12 hours ago. We wanted them to check out the patch
>and make sure it worked and didn't cause any other problems. The patch
>is being posted to Majordomo-Users, Majordomo-Announce, and other
>forums now, even as I type this (John Rouillard is sitting next to me
>in the USENIX terminal room, sending it out).
Thanks for the explanation. It would have helped if the message sent
to majordomo-workers explained the plans to repost it later on
majordomo-users. Even better would have been to post an announcement
to majordomo-users saying something like:
"A bug has been discovered (and is being actively exploited) that
lets people run commands as the user that Majordomo runs under.
Patches for 1.62 and 1.90 are being tested and a full announcement
will be posted within 24 hours. It might be prudent to disable
Majordomo by [some simple method] pending availability of the
patch."
That would have let us know what the risk was, what was being done
about it, and how to protect ourselves without disclosing the nature
of the bug itself.
-Dave
References:
|
|
