-----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Caldera Systems, Inc. Security Advisory Subject: various security problems with majordomo Advisory number: CSSA-1999-039.0 Issue date: 2000 January, 25 Cross reference: ______________________________________________________________________________ 1. Problem Description There are several bugs in majordomo that allow arbitrary users to execute commands with the privilege of majordomo. If the sendmail aliases file contains aliases that invoke majordomo, a compromise of additional system accounts is possible, which may further on lead to a root compromise. An immediate root exploit has not been found however. 2. Vulnerable Versions Systems : up to COL 2.3 Packages: previous to majordomo-1.94.5-1 3. Solutions Workaround: Change the group of the wrapper excutable to daemon, and turn off world execute rights: chgrp daemon /usr/lib/majordomo/wrapper chmod o-x /usr/lib/majordomo/wrapper The proper solution is to upgrade to the latest packages rpm -U majordomo-1.94.5-1.i386.rpm If you do not use majordomo, we recommend to remove the package entirely using rpm -e majordomo 4. Location of Fixed Packages The upgrade packages can be found on Caldera's FTP site at: ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.3/current/RPMS/ The corresponding source code package can be found at: ftp://ftp.calderaystems.com/pub/OpenLinux/updates/2.3/current/SRPMS 5. Installing Fixed Packages Upgrade the affected packages with the following commands: rpm -U majordomo-1.94.5-1.i386.rpm 6. Verification 39eeb53bb2f565c2e75efbb06e3156aa RPMS/majordomo-1.94.5-1.i386.rpm c409cfcde13893f99f50873b176b71d8 SRPMS/majordomo-1.94.5-1.src.rpm 7. References This and other Caldera security resources are located at: http://www.calderasystems.com/support/security/index.html This security fix closes Caldera's internal Problem Report 5615 8. Disclaimer Caldera Systems, Inc. is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of Caldera OpenLinux. ______________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOI3dK+n+9R4958LpAQF8HgP+ONAmtUVuTAZwHeUt/jXVvdgnw1dCMlUx XoS0tAJrKb1h6AIXxImtZWH92Tx81gBSYuV9LPgjCpLMndwGSjRgwm5K0R7BTseH a2eJXPCMpa1TiJGYDPFB9bQnj78brPL+hoMxokzS9ReCS5htx8f6mKqS3B0oIIFG OSh4Dx4jHL0= =NhZJ -----END PGP SIGNATURE-----