LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: [Fwd: High Risk Vulnerability in L-Soft's LISTSERV Server]

Alan Thew <[log in to unmask]>

Wed, 25 May 2005 23:03:13 +0100

TEXT/PLAIN (59 lines)

On Wed, 25 May 2005 17:45 , Alexander Willman <[log in to unmask]> said:

> Is there a vulnerability in LISTSERV versions 1.8d through 14.3 as the 
> forwarded message below indicates?  If so, is there indeed a level set 
> release newer than 14.3 that fixes the problem?  The LISTSERV download web 
> site still indicates that 14.3 is the latest version.  Thanks.

The latest download should include a fixed wa executable.

Alan Thew
>
> 			Alex
>
>
> -------- Original Message --------
> Subject: High Risk Vulnerability in L-Soft's LISTSERV Server
> Date: Wed, 25 May 2005 20:31:29 +0100
> From: NGSSoftware Insight Security Research <[log in to unmask]>
> To: [log in to unmask], [log in to unmask], 
> [log in to unmask]
>
> Peter Winter-Smith of NGSSoftware has discovered a number of vulnerabilities 
> in L-Soft's LISTSERV list management system. The worst of these carries a 
> high risk rating.
>
> Affected versions include:
>
> - LISTSERV version 14.3, including LISTSERV Lite and HPO
> - LISTSERV version 1.8e, including LISTSERV Lite and HPO
> - LISTSERV version 1.8d, including LISTSERV Lite and HPO
>
> Running under Windows and Unix, and OpenVMS AXP.
>
> Several of the flaws in question allow remote arbitrary code execution, 
> others allow remote denial of service.
>
> This issue has been resolved in the latest release of L-Soft LISTSERV 
> (version 14.3 level set 2005a and above), which may be downloaded from:
>
> http://www.lsoft.com/download/listserv.asp
> http://www.lsoft.com/download/listservlite.asp
>
> I (Peter Winter-Smith) would like to extend a special thanks to the support 
> and development teams at L-Soft who were able to address these issues, from 
> reporting to published fix, in well under a week.
>
> NGSSoftware are going to withhold details of this flaw for three months. Full 
> details will be published on the 25th August 2005. This three month window 
> will allow users of L-Soft's LISTSERV the time needed to apply the patch 
> before the details are released to the general public. This reflects 
> NGSSoftware's approach to responsible disclosure.
>
> NGSSoftware Insight Security Research
> http://www.ngssoftware.com
> http://www.databasesecurity.com/
> http://www.nextgenss.com/
> +44(0)208 401 0070
>

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM