Eric Thomas <ERIC@LEPICS>
Wed, 30 Aug 89 21:45:58 GMT
|
Today I have found and fixed a severe security exposure in LISTSERV. For
obvious reasons, I shall provide NO information regarding the nature of that
problem, and I am explicitly asking you not to discuss it on the network in
any way which might help potential hackers find out what it is.
I could explain how to zap the affected program files to fix the problem, but
this would also expose what the problem is, and then it would just be a race
between the maintainers and hackers, which could be especially bad as the
holidays are not over for everybody. I thought about it and decided that the
wisest thing to do was to "close" 1.6b today, after making the necessary
changes to make this a "clean" closure, rather than just stopping in the
middle of something. Furthermore, all the updated files will bear today's
date, so as to "hide" the fix in the mass of other changes: in case a hacker
were to get a copy of the code, it would take him much longer to find out what
the problem is, and this gives more time to the maintainers to test and
install 1.6b.
I suppose that's all I can do about it, apart from apologizing for being the
cause of the problem in the first place, making sure to recommend serious
testing of 1.6b as there will be no beta 1.6b programme, and wishing you good
luck. A description of the changes between 1.6a and 1.6b will follow, and I'll
then ship the code to everybody.
Eric
|
|
|