LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Critical Risk Vulnerability in L-Soft Listserv

Al Lilianstrom <[log in to unmask]>

Mon, 6 Mar 2006 12:51:38 -0600

text/plain (86 lines)

Has anyone (outside of LSoft) upgraded?

I just did my test system and it seems to be functioning just fine.

Just curious if anyone has noticed anything unusual.

	al

Nathan Brindle wrote:
> If you have current maintenance, it's a free upgrade.
> 
> Nathan
> 
> At 11:47 AM 3/6/2006 -0500, Chris Mead wrote:
>> Hmm... in order to patch a "critical vulnerability" in LSofts software 
>> you
>> must pay for an upgrade.
>>
>> ~Chris
>>
>>
>> -----Original Message-----
>> From: LISTSERV site administrators' forum
>> [mailto:[log in to unmask]] On Behalf Of Karol Leuzarder
>> Sent: Monday, March 06, 2006 10:30 AM
>> To: [log in to unmask]
>> Subject: Critical Risk Vulnerability in L-Soft Listserv
>>
>> Date: Friday, March 3, 2006 4:56 PM -0800
>> From: NGSSoftware Insight Security Research <[log in to unmask]>
>> To: [log in to unmask], [log in to unmask]
>> Subject: Critical Risk Vulnerability in L-Soft Listserv
>>
>> Peter Winter-Smith of NGSSoftware has discovered a number of 
>> vulnerabilities
>> in L-Soft's LISTSERV list management system. The worst of these carries a
>> critical risk rating.
>>
>> Affected versions include:
>>
>> - LISTSERV version 14.4, including LISTSERV Lite and HPO
>> - LISTSERV version 14.3, including LISTSERV Lite and HPO
>>
>> And possibly all prior versions of LISTSERV which are installed with 
>> the web
>> archive interface, which is currently the default installation behaviour.
>>
>> The vulnerabilities which have been fixed can, in the worst of cases, 
>> allow
>> a remote unauthenticated attacker to execute arbitrary code on the system
>> hosting the LISTSERV archive web interface.
>>
>> This issue has been resolved in the latest release of L-Soft LISTSERV
>> (version 14.5), which may be downloaded from:
>>
>> http://www.lsoft.com/download/listserv.asp
>> http://www.lsoft.com/download/listservlite.asp
>>
>> NGSSoftware are going to withhold details of this flaw for three months.
>> Full details will be published on the 3rd June 2006. This three month 
>> window
>> will allow users of L-Soft's LISTSERV the time needed to apply the patch
>> before the details are released to the general public. This reflects
>> NGSSoftware's approach to responsible disclosure.
>>
>> NGSSoftware Insight Security Research
>> http://www.ngssoftware.com
>> http://www.databasesecurity.com/
>> http://www.nextgenss.com/
>> +44(0)208 401 0070
>>
>>
>>
>> ************************************************************
>> Karol K. Leuzarder              [log in to unmask]
>> Senior Technical Programmer     phone:  401-874-4965
>> OIS/TOPS, 48 Tyler Hall         fax:    401-789-4040
>> University of Rhode Island
>> Kingston, RI    02881

-- 

Al Lilianstrom
CD/CSS/CSI
[log in to unmask]

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM