I'm running 18.e on Linux. Do we have to upgrade to 14.3 first or will
the kit do the upgrade to 14.3 with patch?
John Hiler
513-229-1131 Work
513-325-7572 Cell
-----Original Message-----
From: LISTSERV site administrators' forum
[mailto:[log in to unmask]] On Behalf Of L-Soft Security
Advisory
Sent: Wednesday, May 25, 2005 6:07 PM
To: [log in to unmask]
Subject: L-Soft Security Advisory 2005-05-25
************************************************************************
*
*************************** SECURITY ADVISORY
***************************
************************************************************************
*
A security exposure has been discovered and fixed in the LISTSERV
web interface (including LISTSERV Maestro, LISTSERV HPO, LISTSERV
Lite, and LISTSERV Free Edition). L-Soft recommends that all affected
users apply the patch immediately.
------------------------------- ABSTRACT
-------------------------------- PRODUCTS AFFECTED:
- LISTSERV version 14.3 (confirmed), including LISTSERV Lite and HPO.
- LISTSERV version 1.8e (confirmed), including LISTSERV Lite and HPO.
- LISTSERV version 1.8d (inferred), including LISTSERV Lite and HPO.
- Older versions are not believed to be affected.
- LISTSERV Free Edition is LISTSERV Lite with special licensing
terms.
What applies to LISTSERV Lite in this advisory applies also to
LISTSERV
Free Edition.
- Support for version 1.8e (released May 22, 2002) was
discontinued
December 31, 2004. No patches are available for version 1.8e or older.
OPERATING SYSTEMS AFFECTED:
- Windows, unix (all vendors), OpenVMS AXP (confirmed).
- VM sites are not affected.
EXCEPTIONS/SPECIAL NOTES:
- Customers not using the LISTSERV web interface are not vulnerable.
- The LISTSERV Maestro web interface is not vulnerable; however,
LISTSERV
Maestro installations typically host both LISTSERV and LISTSERV
Maestro
web interfaces, and in such cases they are vulnerable.
- The 10 January 2005 and later builds of LISTSERV version 14.3 are
less
vulnerable, but L-Soft recommends that they be upgraded anyway.
- LISTSERV version 14.4 (beta) is not vulnerable.
EXPOSURE:
On a correctly configured LISTSERV installation running the LISTSERV
web interface with normal CGI privileges, intruders may be able to
gain non-privileged access to the system on which the web interface
script is running. The executable in question is called 'WA.EXE' on
Windows and VMS, and 'wa' on unix. In the remainder of this advisory,
this script will be called "WA" regardless of operating system.
The exposure may be more severe if WA is configured to run
with privileges beyond those recommended by L-Soft or, for Windows,
if the system partition is using the FAT or FAT32 file system.
SOLUTION:
- Apply 2005a level set.
OR:
- Update just WA from 2005a level set.
The vulnerability cannot be circumvented, other than by disabling the
web interface altogether.
RISK RATING: HIGH
- Date of first reported exploit: May 20, 2005.
- Exploit widely known within hacker community since: no known incident.
INCIDENT CHRONOLOGY:
2005-05-20 Initial report to L-Soft support 2005-05-20 More information
requested
2005-05-21 Detailed information received
2005-05-21 Internal escalation
2005-05-22 Problem not reproduced
2005-05-23 Problem reproduced
2005-05-23 Emergency correction initiated
2005-05-24 Patch A1 ready
2005-05-24 A1 delivered to reporting site
2005-05-24 A1 passed standard internal tests, ready for deployment
2005-05-24 2005a kit generation starting
2005-05-24 2005a kits ready for deployment
2005-05-25 Reporting site confirms A1 removes exposure
2005-05-25 2005a deployed
2005-05-25 Security Advisory distributed to Maintenance customers
2005-05-25 Security Advisory distributed to LSTSRV-L
---------------------------- END OF ABSTRACT
----------------------------
THE 2005a LEVEL SET
-------------------
The only change in the 2005a level set is an updated WA executable.
There is no user-visible change or new functionality after applying
the 2005a level set.
L-Soft intends to deliver new functionality to customers through
the upcoming 14.4 release, which is currently in beta. Future 14.3
level sets, if any, are not expected to include any new functionality.
APPLYING THE 2005a LEVEL SET
----------------------------
This level set can be installed as a normal level set upgrade, which
will require that LISTSERV be stopped during the upgrade, or you can
opt to extract the updated WA executable from the kit and replace it on
the fly, which is less disruptive, but also more complicated. If in
doubt, perform a normal upgrade.
If you perform an on-the-fly upgrade, you will have to update WA in
two
locations: your web server's CGI directory, and LISTSERV's own
directory tree. If you do not update the CGI directory, the patch is not
active. If you do not update the copy of WA in the LISTSERV directory
and later use one of the L-Soft setup/installation tools to move
your LISTSERV web directory, the tool may copy the unpatched
version of WA to the new location and re-introduce the vulnerability.
Regardless of which method you choose, be sure to verify that the
patch is online by loading the following URL:
- Windows, VMS: http://.../wa.exe?DEBUG-SHOW-VERSION
- unix: http://.../wa?DEBUG-SHOW-VERSION
The compilation date should read 24 May 2005 or later.
DOWNLOADING THE 2005a LEVEL SET
-------------------------------
To download the 2005a level set, go to L-Soft's web site and download
an evaluation copy of LISTSERV Lite if this is what you are
running, or LISTSERV Classic in all other cases (Classic, HPO,
Maestro, etc). This evaluation kit will upgrade your existing LISTSERV
installation. It will NOT turn it into an evaluation version.
The kits can be found at:
http://www.lsoft.com/download/listserv.asp
http://www.lsoft.com/download/listservlite.asp
MacOS beta sites will instead find the level set at the same location
as the original beta installation kits.
ACKNOWLEDGEMENTS
----------------
L-Soft would like to thank Peter Winter-Smith of Next Generation
Security Software (www.ngssoftware.com) for reporting this problem and
providing information and assistance well past regular business hours.
|