From majordomo-workers-owner@greatcircle.com Wed Mar 9 13:57:24 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from [66.92.48.19] (localhost [127.0.0.1]) by mycroft.greatcircle.com (Postfix) with ESMTP id 1AFCB32C2C3 for ; Wed, 9 Mar 2005 13:57:02 -0800 (PST) Mime-Version: 1.0 Message-Id: Date: Wed, 9 Mar 2005 13:57:00 -0800 To: majordomo-workers@greatcircle.com From: Brent Chapman Subject: Whether/how to address security issue with Majordomo 1.94.5? Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Archive-Number: 200503/1 X-Sequence-Number: 60 Someone has contacted me about a security issue with Majordomo 1.94.5 (the current release). Essentially, the algorithm used to generate cookies for use in "auth" commands is weak and easily reversible. The person has suggested alternate implementations which they believe are more secure; I have no reason to doubt them, but I'm not a cryptographer, and can't really evaluate whether their proposed replacement is any better than the original code. The problem is, I view Majordomo as essentially dead code. I'm not really willing to sink much more of my own time and effort into Majordomo. This is but one of several problems with it. The only reason I still offer Majordomo for download from the GreatCircle.com web site is that the Majordomo2 folks haven't yet officially released their package; unfortunately, though, I'm not sure if they ever will. If somebody else wants to step forward and be the new "release coordinator" (as John Rouillard and Chan Wilson were in the past), then I'd be happy to distribute the new tarball that they put together, but I'm not willing to step into that role myself. So, are there any volunteers who can convince me that they're capable of taking on the role? -Brent -- Brent Chapman Great Circle Associates, Inc. http://www.greatcircle.com/ +1 650 962 0841 From majordomo-workers-owner@greatcircle.com Wed Mar 9 14:04:40 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from [66.92.48.19] (localhost [127.0.0.1]) by mycroft.greatcircle.com (Postfix) with ESMTP id D865032C202 for ; Wed, 9 Mar 2005 14:04:39 -0800 (PST) Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Wed, 9 Mar 2005 14:04:37 -0800 To: majordomo-workers@greatcircle.com From: Brent Chapman Subject: Re: Whether/how to address security issue with Majordomo 1.94.5? Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Archive-Number: 200503/2 X-Sequence-Number: 61 At 1:57 PM -0800 3/9/05, Brent Chapman wrote: >If somebody else wants to step forward and be the new "release >coordinator" (as John Rouillard and Chan Wilson were in the past), >then I'd be happy to distribute the new tarball that they put >together, but I'm not willing to step into that role myself. > >So, are there any volunteers who can convince me that they're >capable of taking on the role? By the way, I wouldn't mind considering moving the whole development/support effort off to Sourceforge, either. -Brent -- Brent Chapman Great Circle Associates, Inc. http://www.greatcircle.com/ +1 650 962 0841 From majordomo-workers-owner@greatcircle.com Wed Mar 9 14:16:48 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from tom.iecc.com (tom.iecc.com [208.31.42.38]) by mycroft.greatcircle.com (Postfix) with SMTP id AFA6632C2C3 for ; Wed, 9 Mar 2005 14:16:46 -0800 (PST) Received: (qmail 18104 invoked from network); 9 Mar 2005 22:16:40 -0000 Received: (ofmipd 127.0.0.1); 9 Mar 2005 22:16:18 -0000 Date: 9 Mar 2005 17:16:40 -0500 Message-ID: From: "John R Levine" To: "Brent Chapman" Cc: majordomo-workers@greatcircle.com Subject: Re: Whether/how to address security issue with Majordomo 1.94.5? In-Reply-To: References: Cleverness: None detected MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Archive-Number: 200503/3 X-Sequence-Number: 62 > Someone has contacted me about a security issue with Majordomo 1.94.5 > (the current release). Essentially, the algorithm used to generate > cookies for use in "auth" commands is weak and easily reversible. They're right, but the main problem is that people often forget to change the default nonce used to generate them. Given the level of the threat, if you simply advise people to change the nonce, and to use different ones if they have multiple mj1 setups for different virtual domains, that should be fine. I'd rather put effort into sticking a stake in the ground to ship mj 2.0 so people will believe that it's a released product. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor "I dropped the toothpaste", said Tom, crestfallenly. From majordomo-workers-owner@greatcircle.com Wed Mar 9 14:25:52 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from mailbox.onlinepolicy.net (mailbox.onlinepolicy.net [64.62.161.194]) by mycroft.greatcircle.com (Postfix) with ESMTP id 2300932C164; Wed, 9 Mar 2005 14:25:52 -0800 (PST) Received: by mailbox.onlinepolicy.net (Postfix, from userid 504) id 25F94188A40; Wed, 9 Mar 2005 14:11:29 -0800 (PST) Received: from [166.220.249.155] (unknown [166.220.249.155]) by mailbox.onlinepolicy.net (Postfix) with ESMTP id 4DE6F188A3F; Wed, 9 Mar 2005 14:11:28 -0800 (PST) Message-ID: <422F77E9.5060404@queernet.org> Date: Wed, 09 Mar 2005 14:25:45 -0800 From: "Roger B.A. Klorese " User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brent Chapman Cc: majordomo-workers@greatcircle.com Subject: Re: Whether/how to address security issue with References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archive-Number: 200503/4 X-Sequence-Number: 63 Brent Chapman wrote: > At 1:57 PM -0800 3/9/05, Brent Chapman wrote: > >> If somebody else wants to step forward and be the new "release >> coordinator" (as John Rouillard and Chan Wilson were in the past), >> then I'd be happy to distribute the new tarball that they put >> together, but I'm not willing to step into that role myself. >> >> So, are there any volunteers who can convince me that they're capable >> of taking on the role? > > > By the way, I wouldn't mind considering moving the whole > development/support effort off to Sourceforge, either. > > > -Brent By the way, I'd hope anyone who'd consider doing it for Mj1 might consider doing for Mj2...! From majordomo-workers-owner@greatcircle.com Wed Mar 9 14:35:38 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from S1.cableone.net (smtp1.cableone.net [24.116.0.227]) by mycroft.greatcircle.com (Postfix) with ESMTP id 10A2E32C2C1; Wed, 9 Mar 2005 14:35:37 -0800 (PST) Received: from mail.sonny.com (unverified [24.116.58.25]) by S1.cableone.net (CableOne SMTP Service S1) with ESMTP id 12833033 for multiple; Wed, 09 Mar 2005 15:38:01 -0700 Received: from sonny.org (dad.liston.nu [192.168.1.60]) (authenticated bits=0) by mail.sonny.com (8.12.8/8.12.8) with ESMTP id j29MZ18x027887 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 9 Mar 2005 16:35:03 -0600 Message-ID: <422F7A91.20606@sonny.org> Date: Wed, 09 Mar 2005 16:37:05 -0600 From: Daniel Liston User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brent Chapman Cc: majordomo-workers@greatcircle.com Subject: Re: Whether/how to address security issue with Majordomo 1.94.5? References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-IP-stats: Incoming Outgoing Last 0, First 130, in=114, out=27, spam=0 Known=true X-External-IP: 24.116.58.25 X-Abuse-Info: Send abuse complaints to abuse@cableone.net X-Archive-Number: 200503/5 X-Sequence-Number: 64 I would not mind moving into the role of release coordinator. I can think of several of the unofficial patches that could be rolled in to make a dandy 1.94.6 release, as well as a few bug and security fixes and "unsupported" utilities. :) If you do move the development effort to sourceforge, are you considering any changes to a GNU license? Would greatcircle still host the mailing lists? There were a couple years where I was intimately familiar with the inner workings of majordomo, and I still have a back burner project to make majordomo LDAP aware. I intend to use an on/off switch for this feature, if I ever get time to finish it. :( I just don't want to see majordomo die of neglect, and I prefer the simplicity of 1.9x to the complexity of "][". Dan Liston Brent Chapman wrote: > At 1:57 PM -0800 3/9/05, Brent Chapman wrote: > >> If somebody else wants to step forward and be the new "release >> coordinator" (as John Rouillard and Chan Wilson were in the past), >> then I'd be happy to distribute the new tarball that they put >> together, but I'm not willing to step into that role myself. >> >> So, are there any volunteers who can convince me that they're capable >> of taking on the role? > > > By the way, I wouldn't mind considering moving the whole > development/support effort off to Sourceforge, either. > > > -Brent From majordomo-workers-owner@greatcircle.com Wed Mar 9 14:36:01 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from [66.92.48.19] (localhost [127.0.0.1]) by mycroft.greatcircle.com (Postfix) with ESMTP id 21F0B32C30A; Wed, 9 Mar 2005 14:35:55 -0800 (PST) Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Wed, 9 Mar 2005 14:35:53 -0800 To: "John R Levine" From: Brent Chapman Subject: Re: Whether/how to address security issue with Majordomo 1.94.5? Cc: majordomo-workers@greatcircle.com Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Archive-Number: 200503/6 X-Sequence-Number: 65 At 5:16 PM -0500 3/9/05, John R Levine wrote: > > Someone has contacted me about a security issue with Majordomo 1.94.5 >> (the current release). Essentially, the algorithm used to generate >> cookies for use in "auth" commands is weak and easily reversible. > >They're right, but the main problem is that people often forget to change >the default nonce used to generate them. > >Given the level of the threat, if you simply advise people to change the >nonce, and to use different ones if they have multiple mj1 setups for >different virtual domains, that should be fine. That doesn't appear to be sufficient. The person who contacted me included code which figures out what the nonce (the "cookie_seed" in the Majordomo.cf file) is; the code is only about 40 lines of Perl. >I'd rather put effort into sticking a stake in the ground to ship mj 2.0 >so people will believe that it's a released product. So would I, but I've about given up hope for it ever being released. I'd love to be proven wrong. -Brent -- Brent Chapman Great Circle Associates, Inc. http://www.greatcircle.com/ +1 650 962 0841 From majordomo-workers-owner@greatcircle.com Wed Mar 9 14:38:52 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from [66.92.48.19] (localhost [127.0.0.1]) by mycroft.greatcircle.com (Postfix) with ESMTP id 635F832C1F5; Wed, 9 Mar 2005 14:38:51 -0800 (PST) Mime-Version: 1.0 Message-Id: In-Reply-To: <422F77E9.5060404@queernet.org> References: <422F77E9.5060404@queernet.org> Date: Wed, 9 Mar 2005 14:38:48 -0800 To: "Roger B.A. Klorese " From: Brent Chapman Subject: Re: Whether/how to address security issue Cc: majordomo-workers@greatcircle.com Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Archive-Number: 200503/7 X-Sequence-Number: 66 At 2:25 PM -0800 3/9/05, Roger B.A. Klorese wrote: >Brent Chapman wrote: > >>At 1:57 PM -0800 3/9/05, Brent Chapman wrote: >> >>>If somebody else wants to step forward and be the new "release >>>coordinator" (as John Rouillard and Chan Wilson were in the past), >>>then I'd be happy to distribute the new tarball that they put >>>together, but I'm not willing to step into that role myself. >>> >>>So, are there any volunteers who can convince me that they're >>>capable of taking on the role? >> >> >>By the way, I wouldn't mind considering moving the whole >>development/support effort off to Sourceforge, either. >> >> >>-Brent > > >By the way, I'd hope anyone who'd consider doing it for Mj1 might >consider doing for Mj2...! Wishful thinking, I think... They're very different beasts. I don't think _I'm_ qualified to be a release coordinator for Mj2; there's too much nitty-gritty know-how required about how to turn it into a .rpm, .deb, and so forth, which I don't have. Mj1 has always simply been distributed as a tarball, and that's fine; we shouldn't be looking to break new ground (and attract new users, ) by doing anything different than that with Mj1. -Brent -- Brent Chapman Great Circle Associates, Inc. http://www.greatcircle.com/ +1 650 962 0841 From majordomo-workers-owner@greatcircle.com Wed Mar 9 14:51:18 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from [66.92.48.19] (localhost [127.0.0.1]) by mycroft.greatcircle.com (Postfix) with ESMTP id 30A5632C2CD; Wed, 9 Mar 2005 14:51:17 -0800 (PST) Mime-Version: 1.0 Message-Id: In-Reply-To: <422F7A91.20606@sonny.org> References: <422F7A91.20606@sonny.org> Date: Wed, 9 Mar 2005 14:51:15 -0800 To: Daniel Liston From: Brent Chapman Subject: Re: Whether/how to address security issue with Majordomo 1.94.5? Cc: majordomo-workers@greatcircle.com Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Archive-Number: 200503/8 X-Sequence-Number: 67 At 4:37 PM -0600 3/9/05, Daniel Liston wrote: >I would not mind moving into the role of release coordinator. OK, that's an option I'll definitely consider. If anybody wants to speak up for or against Dan taking over the role of release coordinator, please let me know your reasons ASAP; feel free to send me private email, if you'd rather not discuss it publicly. >I can think of several of the unofficial patches that could >be rolled in to make a dandy 1.94.6 release, as well as a few >bug and security fixes and "unsupported" utilities. :) Yeah, though we might also want to consider getting the security patch(es) out quickly as 1.94.6, and then following up with a feature release (perhaps 1.95?). That would make it easy for folks to address just the security issue, without worrying about what new bugs might be introduced by the new features. >If you do move the development effort to sourceforge, are you >considering any changes to a GNU license? I don't recall why I originally chose the TIS license (which is what I based the Majordomo license on, with their permission) rather than a GNU license. If I recall correctly, the GNU license was nowhere near as well-established back then, and was just one of several "open source" (though that term hadn't come into use yet, I don't think) licenses that were floating around. >Would greatcircle still host the mailing lists? Yes, if necessary, though it might make sense to move them to Sourceforge as well (if that's a service they offer; I don't know). Nobody here is paying any attention to bounces or requests for approval on the Majordomo-* mailing lists. >There were a couple years where I was intimately familiar with >the inner workings of majordomo, and I still have a back burner >project to make majordomo LDAP aware. I intend to use an on/off >switch for this feature, if I ever get time to finish it. :( > >I just don't want to see majordomo die of neglect, and I prefer >the simplicity of 1.9x to the complexity of "][". Noble sentiments. -Brent -- Brent Chapman Great Circle Associates, Inc. http://www.greatcircle.com/ +1 650 962 0841 From majordomo-workers-owner@greatcircle.com Wed Mar 9 18:56:48 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from mailbox.onlinepolicy.net (mailbox.onlinepolicy.net [64.62.161.194]) by mycroft.greatcircle.com (Postfix) with ESMTP id 62B0F32C353; Wed, 9 Mar 2005 18:56:47 -0800 (PST) Received: by mailbox.onlinepolicy.net (Postfix, from userid 504) id 77463188902; Wed, 9 Mar 2005 18:42:20 -0800 (PST) Received: from Inbox (m615e36d0.tmodns.net [208.54.94.97]) by mailbox.onlinepolicy.net (Postfix) with ESMTP id A17501889EC; Wed, 9 Mar 2005 18:42:10 -0800 (PST) From: "Roger B.A. Klorese" To: Cc: Subject: Re: Whether/how to address security issuewith Majordomo 1.94.5? Date: Wed, 9 Mar 2005 21:56:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-MimeOLE: Produced By Microsoft MimeOLE V5.00.1432.1 Message-Id: <20050310024210.A17501889EC@mailbox.onlinepolicy.net> X-Archive-Number: 200503/9 X-Sequence-Number: 68 >From: "Brent Chapman" >>By the way, I'd hope anyone who'd consider doing it for Mj1 might >>consider doing for Mj2...! > >Wishful thinking, I think... They're very different beasts. I don't >think _I'm_ qualified to be a release coordinator for Mj2; there's >too much nitty-gritty know-how required about how to turn it into a >.rpm, .deb, and so forth, which I don't have. I'd be pleased if we started with a tarball... From majordomo-workers-owner@greatcircle.com Wed Mar 9 22:13:53 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from sol.ccsf.cc.ca.us (sol.ccsf.cc.ca.us [147.144.1.211]) by mycroft.greatcircle.com (Postfix) with ESMTP id 49D7832C4A0; Wed, 9 Mar 2005 22:12:45 -0800 (PST) Received: from localhost (jjah@localhost) by sol.ccsf.cc.ca.us (8.11.7p1+Sun/8.11.6) with ESMTP id j2A6Ciu13715; Wed, 9 Mar 2005 22:12:44 -0800 (PST) Date: Wed, 9 Mar 2005 22:12:44 -0800 (PST) From: "Joe R. Jah" To: Brent Chapman Cc: Daniel Liston , Subject: Re: Whether/how to address security issue with Majordomo 1.94.5? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Archive-Number: 200503/10 X-Sequence-Number: 69 On Wed, 9 Mar 2005, Brent Chapman wrote: > Date: Wed, 9 Mar 2005 14:51:15 -0800 > From: Brent Chapman > To: Daniel Liston > Cc: majordomo-workers@greatcircle.com > Subject: Re: Whether/how to address security issue with Majordomo 1.94.5? > > At 4:37 PM -0600 3/9/05, Daniel Liston wrote: > >I would not mind moving into the role of release coordinator. > > OK, that's an option I'll definitely consider. > > If anybody wants to speak up for or against Dan taking over the role > of release coordinator, please let me know your reasons ASAP; feel > free to send me private email, if you'd rather not discuss it > publicly. I enthusiastically support Dan as Majordomo Release Coordinator. > >I can think of several of the unofficial patches that could > >be rolled in to make a dandy 1.94.6 release, as well as a few > >bug and security fixes and "unsupported" utilities. :) > > Yeah, though we might also want to consider getting the security > patch(es) out quickly as 1.94.6, and then following up with a feature > release (perhaps 1.95?). That would make it easy for folks to > address just the security issue, without worrying about what new bugs > might be introduced by the new features. I recommend the following patches available in: ftp://ftp.ccsf.org/majordomo-patches/1.94.5/ for 1.94.6: config_parse.pl-resend.3 Bounces non-member messages to sender|owner|both|no_one majordomo.1 Fixes the which command @ hole majordomo.5 Provides more robust confirmation procedure majordomo.7 Patch to deal correctly with .intro file noCommand_noBounce.0 Causes majordomo not to respond to SPAM passwd.4 Integrates passwd and newconfig commands resend.1 Puts missing "Subject" header if(subject_prefix) restrict2domain.1 Extends restrict_post attribute to accept email sample.cf.0 Defines variables for robust confirmation and sets a default policy for non-member bounce validate_@._.1 Addresses must not have multiple @ or . or any @.. I have been using them all for years. For 1.95.0 I recommend html-stripper-v0.1. Other patches in the site may also be useful, but I have not tested them. Incidentally, I believe majordomo.5 is the solution to the problem in the algorithm used to generate cookies in 1.94.5 for use in "auth" commands. Regards, Joe -- _/ _/_/_/ _/ ____________ __o _/ _/ _/ _/ ______________ _-\<,_ _/ _/ _/_/_/ _/ _/ ......(_)/ (_) _/_/ oe _/ _/. _/_/ ah jjah@sol.ccsf.cc.ca.us > >If you do move the development effort to sourceforge, are you > >considering any changes to a GNU license? > > I don't recall why I originally chose the TIS license (which is what > I based the Majordomo license on, with their permission) rather than > a GNU license. If I recall correctly, the GNU license was nowhere > near as well-established back then, and was just one of several "open > source" (though that term hadn't come into use yet, I don't think) > licenses that were floating around. > > >Would greatcircle still host the mailing lists? > > Yes, if necessary, though it might make sense to move them to > Sourceforge as well (if that's a service they offer; I don't know). > Nobody here is paying any attention to bounces or requests for > approval on the Majordomo-* mailing lists. > > >There were a couple years where I was intimately familiar with > >the inner workings of majordomo, and I still have a back burner > >project to make majordomo LDAP aware. I intend to use an on/off > >switch for this feature, if I ever get time to finish it. :( > > > >I just don't want to see majordomo die of neglect, and I prefer > >the simplicity of 1.9x to the complexity of "][". > > Noble sentiments. > > > -Brent > -- > Brent Chapman > Great Circle Associates, Inc. > http://www.greatcircle.com/ > +1 650 962 0841 From majordomo-workers-owner@greatcircle.com Tue Mar 15 17:40:22 2005 X-Original-To: majordomo-workers@greatcircle.com Received: from [66.92.48.19] (localhost [127.0.0.1]) by mycroft.greatcircle.com (Postfix) with ESMTP id B53C632C392; Tue, 15 Mar 2005 17:40:21 -0800 (PST) Mime-Version: 1.0 Message-Id: Date: Tue, 15 Mar 2005 17:40:19 -0800 To: majordomo-workers@greatcircle.com From: Brent Chapman Subject: Dan Liston is the new Majordomo release coordinator Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Archive-Number: 200503/11 X-Sequence-Number: 70 I'm pleased to announce that Dan Liston has volunteered to assume the role of Majordomo release coordinator. I want to thank Dan for volunteering, and also thank outgoing release coordinator Chan Wilson. -Brent -- Brent Chapman -- Great Circle Associates, Inc. Specializing in network infrastructure for Silicon Valley since 1989 For info about us and our services, please see http://www.greatcircle.com/ Network Automation blog: http://www.greatcircle.com/blog/network_automation