Great Circle Associates Majordomo-Workers
(June 2000)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: [Fwd: [Debian] Majordomo will be removed]
From: jmorace+mj @ u . washington . edu
Date: Sun, 4 Jun 2000 11:24:31 -0700 (PDT)
To: Anthony Baratta <Anthony @ Baratta . com>
Cc: Majordomo Admin Mailing List <majordomo-users @ greatcircle . com>, majordomo-workers @ greatcircle . com
In-reply-to: <3939ED6E.41059B58@Baratta.com>

I think it is the following section of the LICENSE file which prohibits
them from doing so:

                 You may not publicly distribute a modified or
                 incomplete version of Majordomo.  You may make
                 such a version available to your own clients,
                 subject to the restrictions below, but not to the
                 general public (for instance, by placing it on an
                 anonymous FTP site).

I'm curious though, why is the majordomo license so restrictive.  In a
reply to a message I sent to security@debian.org, it was suggested that
majordomo change the licensing to one that conforms to the Debian Free
Software Guidelines (DFSG), such as GPL
http://www.debian.org/social_contract#guidelines.  Is there any reason
this has not been done?

On a side note, are there any patches that take care of the mentioned
exploit?

Thanks,

Jonathan

On Sat, 3 Jun 2000, Anthony Baratta wrote:

>Does this make sense to anyone? Why would Debian be prevented from making fixes to
>MajorDomo??
>
>Aleph One wrote:
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> 
>> - ------------------------------------------------------------------------
>> Debian Security Advisory                             security@debian.org
>> http://www.debian.org/security/                         Wichert Akkerman
>> June  3, 2000
>> - ------------------------------------------------------------------------
>> 
>> Package        : majordomo
>> Problem type   : local exploit
>> Debian-specific: no
>> 
>> The majordomo package as shipped in the non-free section accompanying
>> Debian GNU/Linux 2.1/slink allows any local user to trick majordomo into
>> executing arbitrary code or to create or write files as the majordomo user
>> anywhere on the filesystem.
>> 
>> This is a documented issue and the advised work around it to either have
>> no untrusted users on a system running majordomo or to use a setuid
>> wrapper that the MTA delivery agent can run.
>> suboptimal solution.
>> 
>> We feel that those options are not a good solution, but unfortunately the
>> majordomo license does not allow us to fix these problems and distribute a
>> fixed version. As a result we have decided to remove majordomo from our
>> archives.
>> 
>> If you are using majordomo we recommend that you replace it with one
>> of the many other mailing-list tools available such as fml, mailman
>> or smartlist.
>> 
>> - --
>> - ----------------------------------------------------------------------------
>> For apt-get: deb http://security.debian.org/ stable updates
>> For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates
>> Mailing list: debian-security-announce@lists.debian.org
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: 2.6.3ia
>> Charset: noconv
>> 
>> iQB1AwUBOTlZ/6jZR/ntlUftAQFQ6QL/XyB4EprpjY4D2eusMd9PR+UKKh0jI7Zi
>> IMWf0Avik9wN6HWba64kODvePxKChnh7z2jvG3hz8CIZr6siYsTuFWtu2UkVhdZj
>> THnYqB87Sqp7XIdO46R7qjnLU0KibPqQ
>> =w/uo
>> -----END PGP SIGNATURE-----
>
>
>-- 
>Anthony Baratta
>President
>KeyBoard Jockeys
>                    South Park Speaks Version 3 is here!!!
>                       http://www.baratta.com/southpark
>                              Powered by Tsunami
>




Follow-Ups:
Indexed By Date Previous: Bounce non-member submissions to [sender|owner|both]
From: "Joe R. Jah" <jjah@cloud.ccsf.cc.ca.us>
Next: RE: [Debian] Majordomo will be removed (fwd)
From: "Skahan, Vince" <Vince.Skahan@PSS.Boeing.com>
Indexed By Thread Previous: Bounce non-member submissions to [sender|owner|both]
From: "Joe R. Jah" <jjah@cloud.ccsf.cc.ca.us>
Next: Re: [Fwd: [Debian] Majordomo will be removed]
From: root <thaths@netscape.com>

Google
 
Search Internet Search www.greatcircle.com