COMMAND

    majordomo(8)

SYSTEMS AFFECTED

    Any systems using the  majordomo mailing list software  version up
    to 1.90.

PROBLEM

    Basicly,  through  clever  hackery  of  "From:"  lines on incoming
    messages, someone could  convince 'majordomo' or  'request-answer'
    to  run  a  commnad  for  them  as  user  Majordomo  is running as
    (whatever the "wrapper" program is  setuid to if your bsd,  or the
    user compiled into the wrapper  if your posix box). This  command,
    for instance, send them you  passwd file, or even compile  and run
    a supplied program to start a shell for them on a specified  port,
    so all they'd have to do is telnet to that port from the outside

SOLUTION

    Upgrade to the latest release of Majordomo.