headers
Brent Chapman | 9 Mar 2005 22:57

Whether/how to address security issue with Majordomo 1.94.5?

Someone has contacted me about a security issue with Majordomo 1.94.5 
(the current release).  Essentially, the algorithm used to generate 
cookies for use in "auth" commands is weak and easily reversible.

The person has suggested alternate implementations which they believe 
are more secure; I have no reason to doubt them, but I'm not a 
cryptographer, and can't really evaluate whether their proposed 
replacement is any better than the original code.

The problem is, I view Majordomo as essentially dead code.  I'm not 
really willing to sink much more of my own time and effort into 
Majordomo.  This is but one of several problems with it.

The only reason I still offer Majordomo for download from the 
GreatCircle.com web site is that the Majordomo2 folks haven't yet 
officially released their package; unfortunately, though, I'm not 
sure if they ever will.

If somebody else wants to step forward and be the new "release 
coordinator" (as John Rouillard and Chan Wilson were in the past), 
then I'd be happy to distribute the new tarball that they put 
together, but I'm not willing to step into that role myself.

So, are there any volunteers who can convince me that they're capable 
of taking on the role?

-Brent
--

-- 
Brent Chapman <Brent <at> GreatCircle.COM>
Great Circle Associates, Inc.
(Continue reading)

Permalink | Reply |
headers
John R Levine | 9 Mar 2005 23:16

Re: Whether/how to address security issue with Majordomo 1.94.5?

> Someone has contacted me about a security issue with Majordomo 1.94.5
> (the current release).  Essentially, the algorithm used to generate
> cookies for use in "auth" commands is weak and easily reversible.

They're right, but the main problem is that people often forget to change
the default nonce used to generate them.

Given the level of the threat, if you simply advise people to change the
nonce, and to use different ones if they have multiple mj1 setups for
different virtual domains, that should be fine.

I'd rather put effort into sticking a stake in the ground to ship mj 2.0
so people will believe that it's a released product.

Regards,
John Levine, johnl <at> iecc.com, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.
Permalink | Reply |
headers
Brent Chapman | 9 Mar 2005 23:35

Re: Whether/how to address security issue with Majordomo 1.94.5?

At 5:16 PM -0500 3/9/05, John R Levine wrote:
>  > Someone has contacted me about a security issue with Majordomo 1.94.5
>>  (the current release).  Essentially, the algorithm used to generate
>>  cookies for use in "auth" commands is weak and easily reversible.
>
>They're right, but the main problem is that people often forget to change
>the default nonce used to generate them.
>
>Given the level of the threat, if you simply advise people to change the
>nonce, and to use different ones if they have multiple mj1 setups for
>different virtual domains, that should be fine.

That doesn't appear to be sufficient.  The person who contacted me 
included code which figures out what the nonce (the "cookie_seed" in 
the Majordomo.cf file) is; the code is only about 40 lines of Perl.

>I'd rather put effort into sticking a stake in the ground to ship mj 2.0
>so people will believe that it's a released product.

So would I, but I've about given up hope for it ever being released. 
I'd love to be proven wrong.

-Brent
--

-- 
Brent Chapman <Brent <at> GreatCircle.COM>
Great Circle Associates, Inc.
http://www.greatcircle.com/
+1 650 962 0841
(Continue reading)

Permalink | Reply |
headers
Brent Chapman | 9 Mar 2005 23:04

Re: Whether/how to address security issue with Majordomo 1.94.5?

At 1:57 PM -0800 3/9/05, Brent Chapman wrote:
>If somebody else wants to step forward and be the new "release 
>coordinator" (as John Rouillard and Chan Wilson were in the past), 
>then I'd be happy to distribute the new tarball that they put 
>together, but I'm not willing to step into that role myself.
>
>So, are there any volunteers who can convince me that they're 
>capable of taking on the role?

By the way, I wouldn't mind considering moving the whole 
development/support effort off to Sourceforge, either.

-Brent
--

-- 
Brent Chapman <Brent <at> GreatCircle.COM>
Great Circle Associates, Inc.
http://www.greatcircle.com/
+1 650 962 0841
Permalink | Reply |
headers
Daniel Liston | 9 Mar 2005 23:37

Re: Whether/how to address security issue with Majordomo 1.94.5?

I would not mind moving into the role of release coordinator.
I can think of several of the unofficial patches that could
be rolled in to make a dandy 1.94.6 release, as well as a few
bug and security fixes and "unsupported" utilities. :)

If you do move the development effort to sourceforge, are you
considering any changes to a GNU license?  Would greatcircle
still host the mailing lists?

There were a couple years where I was intimately familiar with
the inner workings of majordomo, and I still have a back burner
project to make majordomo LDAP aware.  I intend to use an on/off
switch for this feature, if I ever get time to finish it. :(

I just don't want to see majordomo die of neglect, and I prefer
the simplicity of 1.9x to the complexity of "][".

Dan Liston

Brent Chapman wrote:

> At 1:57 PM -0800 3/9/05, Brent Chapman wrote:
> 
>> If somebody else wants to step forward and be the new "release 
>> coordinator" (as John Rouillard and Chan Wilson were in the past), 
>> then I'd be happy to distribute the new tarball that they put 
>> together, but I'm not willing to step into that role myself.
>>
>> So, are there any volunteers who can convince me that they're capable 
>> of taking on the role?
(Continue reading)

Permalink | Reply |
headers
Brent Chapman | 9 Mar 2005 23:51

Re: Whether/how to address security issue with Majordomo 1.94.5?

At 4:37 PM -0600 3/9/05, Daniel Liston wrote:
>I would not mind moving into the role of release coordinator.

OK, that's an option I'll definitely consider.

If anybody wants to speak up for or against Dan taking over the role 
of release coordinator, please let me know your reasons ASAP; feel 
free to send me private email, if you'd rather not discuss it 
publicly.

>I can think of several of the unofficial patches that could
>be rolled in to make a dandy 1.94.6 release, as well as a few
>bug and security fixes and "unsupported" utilities. :)

Yeah, though we might also want to consider getting the security 
patch(es) out quickly as 1.94.6, and then following up with a feature 
release (perhaps 1.95?).  That would make it easy for folks to 
address just the security issue, without worrying about what new bugs 
might be introduced by the new features.

>If you do move the development effort to sourceforge, are you
>considering any changes to a GNU license?

I don't recall why I originally chose the TIS license (which is what 
I based the Majordomo license on, with their permission) rather than 
a GNU license.  If I recall correctly, the GNU license was nowhere 
near as well-established back then, and was just one of several "open 
source" (though that term hadn't come into use yet, I don't think) 
licenses that were floating around.
(Continue reading)

Permalink | Reply |
headers
Joe R. Jah | 10 Mar 2005 07:12
Picon
Picon
Favicon

Re: Whether/how to address security issue with Majordomo 1.94.5?

On Wed, 9 Mar 2005, Brent Chapman wrote:

> Date: Wed, 9 Mar 2005 14:51:15 -0800
> From: Brent Chapman <Brent <at> greatcircle.com>
> To: Daniel Liston <dliston <at> sonny.org>
> Cc: majordomo-workers <at> greatcircle.com
> Subject: Re: Whether/how to address security issue with Majordomo 1.94.5?
>
> At 4:37 PM -0600 3/9/05, Daniel Liston wrote:
> >I would not mind moving into the role of release coordinator.
>
> OK, that's an option I'll definitely consider.
>
> If anybody wants to speak up for or against Dan taking over the role
> of release coordinator, please let me know your reasons ASAP; feel
> free to send me private email, if you'd rather not discuss it
> publicly.

I enthusiastically support Dan as Majordomo Release Coordinator.

> >I can think of several of the unofficial patches that could
> >be rolled in to make a dandy 1.94.6 release, as well as a few
> >bug and security fixes and "unsupported" utilities. :)
>
> Yeah, though we might also want to consider getting the security
> patch(es) out quickly as 1.94.6, and then following up with a feature
> release (perhaps 1.95?).  That would make it easy for folks to
> address just the security issue, without worrying about what new bugs
> might be introduced by the new features.
(Continue reading)

Permalink | Reply |
headers
Roger B.A. Klorese | 10 Mar 2005 03:56

Re: Whether/how to address security issuewith Majordomo 1.94.5?

>From: "Brent Chapman"<Brent <at> GreatCircle.COM>
>>By the way, I'd hope anyone who'd consider doing it for Mj1 might 
>>consider doing for Mj2...!
>
>Wishful thinking, I think...  They're very different beasts.  I don't 
>think _I'm_ qualified to be a release coordinator for Mj2; there's 
>too much nitty-gritty know-how required about how to turn it into a 
>.rpm, .deb, and so forth, which I don't have.

I'd be pleased if we started with a tarball...
Permalink | Reply |
headers
Roger B.A. Klorese | 9 Mar 2005 23:25

Re: Whether/how to address security issue with

Brent Chapman wrote:

> At 1:57 PM -0800 3/9/05, Brent Chapman wrote:
>
>> If somebody else wants to step forward and be the new "release 
>> coordinator" (as John Rouillard and Chan Wilson were in the past), 
>> then I'd be happy to distribute the new tarball that they put 
>> together, but I'm not willing to step into that role myself.
>>
>> So, are there any volunteers who can convince me that they're capable 
>> of taking on the role?
>
>
> By the way, I wouldn't mind considering moving the whole 
> development/support effort off to Sourceforge, either.
>
>
> -Brent

By the way, I'd hope anyone who'd consider doing it for Mj1 might 
consider doing for Mj2...!
Permalink | Reply |
headers
Brent Chapman | 9 Mar 2005 23:38

Re: Whether/how to address security issue

At 2:25 PM -0800 3/9/05, Roger B.A. Klorese  wrote:
>Brent Chapman wrote:
>
>>At 1:57 PM -0800 3/9/05, Brent Chapman wrote:
>>
>>>If somebody else wants to step forward and be the new "release 
>>>coordinator" (as John Rouillard and Chan Wilson were in the past), 
>>>then I'd be happy to distribute the new tarball that they put 
>>>together, but I'm not willing to step into that role myself.
>>>
>>>So, are there any volunteers who can convince me that they're 
>>>capable of taking on the role?
>>
>>
>>By the way, I wouldn't mind considering moving the whole 
>>development/support effort off to Sourceforge, either.
>>
>>
>>-Brent
>
>
>By the way, I'd hope anyone who'd consider doing it for Mj1 might 
>consider doing for Mj2...!

Wishful thinking, I think...  They're very different beasts.  I don't 
think _I'm_ qualified to be a release coordinator for Mj2; there's 
too much nitty-gritty know-how required about how to turn it into a 
.rpm, .deb, and so forth, which I don't have.

Mj1 has always simply been distributed as a tarball, and that's fine;
(Continue reading)

Permalink | Reply |

Gmane