Majordomo-Users: Majordomo SECURITY bug new-list announcement

Majordomo-Users
(June 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Majordomo SECURITY bug new-list announcement
From:	"John P. Rouillard" <rouilj @ cs . umb . edu>
Date:	Wed, 8 Jun 1994 16:47:40 -0400 (EDT)
To:	majordomo-users @ greatcircle . com

Here we go again. The original patch for the majordomo bug was
incomplete. A bug has been discovered in the new-list program (and is
being actively exploited) that lets people run commands as the user
that Majordomo runs under.  Patches for 1.62 and 1.90 are being tested
and a full announcement will be posted within 24 hours.  It is prudent
to disable the new-list program in Majordomo by renaming the new-list
program, or deleting it from the aliases file pending availability of
the patch.

This bug is related to but NOT fixed by the majordomo security patch.
If you wish to fix new-list refer to the majordomo security patch for
background information.

				-- John
John Rouillard

Senior Systems Consultant (SERL Project) University of Massachusetts at Boston
rouilj@cs.umb.edu (preferred)            Boston, MA, (617) 287-6480
==============================================================================
My employers don't acknowledge my existence much less my opinions.

Indexed By Date	Previous:	another type of bogon for valid_addr From: Mark Eichin <eichin@cygnus.com>
Indexed By Date	Next:	Re: setting default regexp_array in 1.90 From: "Mark Frost" <mfrost@ncd.com>
Indexed By Thread	Previous:	another type of bogon for valid_addr From: bill@biome.bio.ns.ca (Bill Silvert)
Indexed By Thread	Next:	Re: Majordomo SECURITY bug new-list announcement From: "John P. Rouillard" <rouilj@cs.umb.edu>