---

Debian Security Advisory: Package: majordomo

Date: Sat, 3 Jun 2000 21:18:29 +0200
From: Wichert Akkerman wichert@cistron.nl
To: debian-security-announce@lists.debian.org
Subject: [SECURITY] Majordomo will be removed


Debian Security Advisory                             security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
June  3, 2000


Package        : majordomo
Problem type   : local exploit
Debian-specific: no

The majordomo package as shipped in the non-free section
accompanying Debian GNU/Linux 2.1/slink allows any local user to
trick majordomo into executing arbitrary code or to create or write
files as the majordomo user anywhere on the filesystem.

This is a documented issue and the advised work around it to
either have no untrusted users on a system running majordomo or to
use a setuid wrapper that the MTA delivery agent can run.
suboptimal solution.

We feel that those options are not a good solution, but
unfortunately the majordomo license does not allow us to fix these
problems and distribute a fixed version. As a result we have
decided to remove majordomo from our archives.

If you are using majordomo we recommend that you replace it with
one of the many other mailing-list tools available such as fml,
mailman or smartlist.

– —


For apt-get: deb http://security.debian.org/
stable updates
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates

Mailing list: debian-security-announce@lists.debian.org

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis