LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Critical Risk Vulnerability in L-Soft Listserv

Nathan Brindle <[log in to unmask]>

Mon, 6 Mar 2006 16:07:16 -0500

text/plain (67 lines)

A 14.5 LAK is required, as stated in the release notes.

http://www.lsoft.com/manuals/1.8e/relnotes/LISTSERV14.5-Release-Notes.html

Nathan

At 03:32 PM 3/6/2006 -0500, Charlie Giannetto wrote:
>Nathan,
>
>   Do we need a new LAK for the new release or will the 14.4 LAK work?
>
>- Charlie
>
>On Mon, 6 Mar 2006, Nathan Brindle wrote:
>
>>If you have current maintenance, it's a free upgrade.
>>
>>Nathan
>>
>>At 11:47 AM 3/6/2006 -0500, Chris Mead wrote:
>>>Hmm... in order to patch a "critical vulnerability" in LSofts software you
>>>must pay for an upgrade.
>>>~Chris
>>>
>>>-----Original Message-----
>>>From: LISTSERV site administrators' forum
>>>[mailto:[log in to unmask]] On Behalf Of Karol Leuzarder
>>>Sent: Monday, March 06, 2006 10:30 AM
>>>To: [log in to unmask]
>>>Subject: Critical Risk Vulnerability in L-Soft Listserv
>>>Date: Friday, March 3, 2006 4:56 PM -0800
>>>From: NGSSoftware Insight Security Research <[log in to unmask]>
>>>To: [log in to unmask], [log in to unmask]
>>>Subject: Critical Risk Vulnerability in L-Soft Listserv
>>>Peter Winter-Smith of NGSSoftware has discovered a number of vulnerabilities
>>>in L-Soft's LISTSERV list management system. The worst of these carries a
>>>critical risk rating.
>>>Affected versions include:
>>>- LISTSERV version 14.4, including LISTSERV Lite and HPO
>>>- LISTSERV version 14.3, including LISTSERV Lite and HPO
>>>And possibly all prior versions of LISTSERV which are installed with the web
>>>archive interface, which is currently the default installation behaviour.
>>>The vulnerabilities which have been fixed can, in the worst of cases, allow
>>>a remote unauthenticated attacker to execute arbitrary code on the system
>>>hosting the LISTSERV archive web interface.
>>>This issue has been resolved in the latest release of L-Soft LISTSERV
>>>(version 14.5), which may be downloaded from:
>>>http://www.lsoft.com/download/listserv.asp
>>>http://www.lsoft.com/download/listservlite.asp
>>>NGSSoftware are going to withhold details of this flaw for three months.
>>>Full details will be published on the 3rd June 2006. This three month window
>>>will allow users of L-Soft's LISTSERV the time needed to apply the patch
>>>before the details are released to the general public. This reflects
>>>NGSSoftware's approach to responsible disclosure.
>>>NGSSoftware Insight Security Research
>>>http://www.ngssoftware.com
>>>http://www.databasesecurity.com/
>>>http://www.nextgenss.com/
>>>+44(0)208 401 0070
>>>
>>>************************************************************
>>>Karol K. Leuzarder              [log in to unmask]
>>>Senior Technical Programmer     phone:  401-874-4965
>>>OIS/TOPS, 48 Tyler Hall         fax:    401-789-4040
>>>University of Rhode Island
>>>Kingston, RI    02881

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM