LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Critical Risk Vulnerability in L-Soft Listserv

Nathan Brindle <[log in to unmask]>

Mon, 6 Mar 2006 13:23:54 -0500

text/plain (66 lines)

If you have current maintenance, it's a free upgrade.

Nathan

At 11:47 AM 3/6/2006 -0500, Chris Mead wrote:
>Hmm... in order to patch a "critical vulnerability" in LSofts software you
>must pay for an upgrade.
>
>~Chris
>
>
>-----Original Message-----
>From: LISTSERV site administrators' forum
>[mailto:[log in to unmask]] On Behalf Of Karol Leuzarder
>Sent: Monday, March 06, 2006 10:30 AM
>To: [log in to unmask]
>Subject: Critical Risk Vulnerability in L-Soft Listserv
>
>Date: Friday, March 3, 2006 4:56 PM -0800
>From: NGSSoftware Insight Security Research <[log in to unmask]>
>To: [log in to unmask], [log in to unmask]
>Subject: Critical Risk Vulnerability in L-Soft Listserv
>
>Peter Winter-Smith of NGSSoftware has discovered a number of vulnerabilities
>in L-Soft's LISTSERV list management system. The worst of these carries a
>critical risk rating.
>
>Affected versions include:
>
>- LISTSERV version 14.4, including LISTSERV Lite and HPO
>- LISTSERV version 14.3, including LISTSERV Lite and HPO
>
>And possibly all prior versions of LISTSERV which are installed with the web
>archive interface, which is currently the default installation behaviour.
>
>The vulnerabilities which have been fixed can, in the worst of cases, allow
>a remote unauthenticated attacker to execute arbitrary code on the system
>hosting the LISTSERV archive web interface.
>
>This issue has been resolved in the latest release of L-Soft LISTSERV
>(version 14.5), which may be downloaded from:
>
>http://www.lsoft.com/download/listserv.asp
>http://www.lsoft.com/download/listservlite.asp
>
>NGSSoftware are going to withhold details of this flaw for three months.
>Full details will be published on the 3rd June 2006. This three month window
>will allow users of L-Soft's LISTSERV the time needed to apply the patch
>before the details are released to the general public. This reflects
>NGSSoftware's approach to responsible disclosure.
>
>NGSSoftware Insight Security Research
>http://www.ngssoftware.com
>http://www.databasesecurity.com/
>http://www.nextgenss.com/
>+44(0)208 401 0070
>
>
>
>************************************************************
>Karol K. Leuzarder              [log in to unmask]
>Senior Technical Programmer     phone:  401-874-4965
>OIS/TOPS, 48 Tyler Hall         fax:    401-789-4040
>University of Rhode Island
>Kingston, RI    02881

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM