Great Circle Associates Majordomo-Workers
(March 2005) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Whether/how to address security issue with Majordomo 1.94.5?
From: "John R Levine" <johnl @ iecc . com>
Date: 9 Mar 2005 17:16:40 -0500
To: "Brent Chapman" <Brent @ GreatCircle . COM>
Cc: majordomo-workers @ greatcircle . com
Cleverness: None detected
In-reply-to: <p06210253be551fd1924a@[66.92.48.19]>
References: <p06210253be551fd1924a@[66.92.48.19]> 
> Someone has contacted me about a security issue with Majordomo 1.94.5
> (the current release).  Essentially, the algorithm used to generate
> cookies for use in "auth" commands is weak and easily reversible.

They're right, but the main problem is that people often forget to change
the default nonce used to generate them.

Given the level of the threat, if you simply advise people to change the
nonce, and to use different ones if they have multiple mj1 setups for
different virtual domains, that should be fine.

I'd rather put effort into sticking a stake in the ground to ship mj 2.0
so people will believe that it's a released product.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.
Follow-Ups:
References:
Indexed By Date Previous: Re: Whether/how to address security issue with Majordomo 1.94.5?
From: Brent Chapman <Brent@GreatCircle.COM>
Next: Re: Whether/how to address security issue with
From: "Roger B.A. Klorese " <rogerk@queernet.org>
Indexed By Thread Previous: Re: Whether/how to address security issue with Majordomo 1.94.5?
From: "Joe R. Jah" <jjah@sol.ccsf.cc.ca.us>
Next: Re: Whether/how to address security issue with Majordomo 1.94.5?
From: Brent Chapman <Brent@GreatCircle.COM>
Google
 
Search Internet Search www.greatcircle.com