Date: Sat, 3 Jun 2000 21:18:29 +0200
From: Wichert Akkerman wichert@cistron.nl
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] Majordomo will be removed
Debian Security Advisory security@debian.org
http://www.debian.org/security/ Wichert Akkerman
June 3, 2000
Package : majordomo
Problem type : local exploit
Debian-specific: no
The majordomo package as shipped in the non-free section
accompanying Debian GNU/Linux 2.1/slink allows any local user to
trick majordomo into executing arbitrary code or to create or write
files as the majordomo user anywhere on the filesystem.
This is a documented issue and the advised work around it to
either have no untrusted users on a system running majordomo or to
use a setuid wrapper that the MTA delivery agent can run.
suboptimal solution.
We feel that those options are not a good solution, but
unfortunately the majordomo license does not allow us to fix these
problems and distribute a fixed version. As a result we have
decided to remove majordomo from our archives.
If you are using majordomo we recommend that you replace it with
one of the many other mailing-list tools available such as fml,
mailman or smartlist.
– —
For apt-get: deb http://security.debian.org/
stable updates
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates
Mailing list: debian-security-announce@lists.debian.org