LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: [Fwd: High Risk Vulnerability in L-Soft's LISTSERV Server]

John Kelley <[log in to unmask]>

Wed, 25 May 2005 21:42:42 -0400

text/plain (63 lines)

Never mind, got it.  I had to clean everything out of the folder first.

John

At 06:03 PM 5/25/2005, you wrote:
>On Wed, 25 May 2005 17:45 , Alexander Willman <[log in to unmask]> said:
>
>>Is there a vulnerability in LISTSERV versions 1.8d through 14.3 as the 
>>forwarded message below indicates?  If so, is there indeed a level set 
>>release newer than 14.3 that fixes the problem?  The LISTSERV download 
>>web site still indicates that 14.3 is the latest version.  Thanks.
>
>The latest download should include a fixed wa executable.
>
>Alan Thew
>>
>>                         Alex
>>
>>
>>-------- Original Message --------
>>Subject: High Risk Vulnerability in L-Soft's LISTSERV Server
>>Date: Wed, 25 May 2005 20:31:29 +0100
>>From: NGSSoftware Insight Security Research <[log in to unmask]>
>>To: [log in to unmask], [log in to unmask], 
>>[log in to unmask]
>>
>>Peter Winter-Smith of NGSSoftware has discovered a number of 
>>vulnerabilities in L-Soft's LISTSERV list management system. The worst of 
>>these carries a high risk rating.
>>
>>Affected versions include:
>>
>>- LISTSERV version 14.3, including LISTSERV Lite and HPO
>>- LISTSERV version 1.8e, including LISTSERV Lite and HPO
>>- LISTSERV version 1.8d, including LISTSERV Lite and HPO
>>
>>Running under Windows and Unix, and OpenVMS AXP.
>>
>>Several of the flaws in question allow remote arbitrary code execution, 
>>others allow remote denial of service.
>>
>>This issue has been resolved in the latest release of L-Soft LISTSERV 
>>(version 14.3 level set 2005a and above), which may be downloaded from:
>>
>>http://www.lsoft.com/download/listserv.asp
>>http://www.lsoft.com/download/listservlite.asp
>>
>>I (Peter Winter-Smith) would like to extend a special thanks to the 
>>support and development teams at L-Soft who were able to address these 
>>issues, from reporting to published fix, in well under a week.
>>
>>NGSSoftware are going to withhold details of this flaw for three months. 
>>Full details will be published on the 25th August 2005. This three month 
>>window will allow users of L-Soft's LISTSERV the time needed to apply the 
>>patch before the details are released to the general public. This 
>>reflects NGSSoftware's approach to responsible disclosure.
>>
>>NGSSoftware Insight Security Research
>>http://www.ngssoftware.com
>>http://www.databasesecurity.com/
>>http://www.nextgenss.com/
>>+44(0)208 401 0070

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM