From blemoine@dcoserv.corp.sgi.com Mon Jul 29 07:28:37 1996 Received: from deliverator.sgi.com (deliverator.sgi.com [204.94.214.10]) by suburbia.net (8.7.4/Proff-950810) with SMTP id HAA23109 for ; Mon, 29 Jul 1996 07:28:29 +1000 Received: from palladium.corp.sgi.com by deliverator.sgi.com via ESMTP (951211.SGI.8.6.12.PATCH1042/951211.SGI.AUTO) for <@external-mail-relay.sgi.com:best-of-security@suburbia.net> id OAA08843; Sun, 28 Jul 1996 14:27:50 -0700 Received: from dcoserv.corp.sgi.com by palladium.corp.sgi.com via ESMTP (951211.SGI.8.6.12.PATCH1042/911001.SGI) for <@palladium.corp.sgi.com:best-of-security@suburbia.net> id OAA21520; Sun, 28 Jul 1996 14:27:50 -0700 Received: (from blemoine@localhost) by dcoserv.corp.sgi.com (950413.SGI.8.6.12/950213.SGI.AUTOCF) id OAA27691 for best-of-security@suburbia.net; Sun, 28 Jul 1996 14:27:49 -0700 From: blemoine@dcoserv.corp.sgi.com (Brett Lemoine) Message-Id: <199607282127.OAA27691@dcoserv.corp.sgi.com> Subject: Majordomo 1.94 Alpha 9 ready, PLEASE INSTALL DUE TO SECURITY PROBLEM. (fwd) To: best-of-security@suburbia.net Date: Sun, 28 Jul 1996 14:27:49 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24 ME5a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit ----- Forwarded message from Chan Wilson ----- To: majordomo-workers@GreatCircle.COM Subject: Majordomo 1.94 Alpha 9 ready, PLEASE INSTALL DUE TO SECURITY PROBLEM. Date: Sun, 28 Jul 1996 11:56:28 +0200 From: Chan Wilson There is a security problem with *all* the majordomo 1.94 alphas to date. In grab_regexp_array, in config_parse.pl, the improvement to allow full perl5 regexps opened up a security hole by not checking for additional deliminators in the regexps, which could then be exploited to run or do anything as the majordomo uid. In order to exploit the hole, the evildoer must first have a list admin password so they can change the value of a "grab_regexp_array parsed variable", such as advertise. This hole has been fixed by checking for multiple occurrences of the deliminator character. This fix is in Majordomo Alpha 9, available in the usual locations: ftp://ftp-europe.sgi.com/other/majordomo/majordomo-1.94a9.tgz ftp://ftp.sgi.com/other/majordomo/majordomo-1.94a9.tgz A patch from Alpha 8 to Alpha 9 is also available: ftp://ftp-europe.sgi.com/other/majordomo/a8toa9.patch.gz ftp://ftp.sgi.com/other/majordomo/a8toa9.patch.gz Please install this latest alpha or patch! Thanks, --Chan Chan Wilson --- cwilson@sgi.com --- +4138-433-760 Silicon Graphics, SA. Cortaillod, Switzerland. "Network Analyst" && Irix Guru && Gravitational Engineer ----- End of forwarded message from Chan Wilson ----- -- //= Brett G. Lemoine =====================================================\\ || Silicon Graphics | "There are two major products that come out || || Server Operations, I/S | of Berkeley: LSD and UNIX. || || Senior System Operator | We don't believe this to be a coincidence." || || blemoine@sgi.com | -- Jeremy S. Anderson || |+------------------------+------------------------------------------------+| \\ PGP Key Fingerprint: 68 A1 2A 2D 82 CE E9 70 5B 80 D1 11 EC F3 FB 85 //