If you have current maintenance, it's a free upgrade. Nathan At 11:47 AM 3/6/2006 -0500, Chris Mead wrote: >Hmm... in order to patch a "critical vulnerability" in LSofts software you >must pay for an upgrade. > >~Chris > > >-----Original Message----- >From: LISTSERV site administrators' forum >[mailto:[log in to unmask]] On Behalf Of Karol Leuzarder >Sent: Monday, March 06, 2006 10:30 AM >To: [log in to unmask] >Subject: Critical Risk Vulnerability in L-Soft Listserv > >Date: Friday, March 3, 2006 4:56 PM -0800 >From: NGSSoftware Insight Security Research <[log in to unmask]> >To: [log in to unmask], [log in to unmask] >Subject: Critical Risk Vulnerability in L-Soft Listserv > >Peter Winter-Smith of NGSSoftware has discovered a number of vulnerabilities >in L-Soft's LISTSERV list management system. The worst of these carries a >critical risk rating. > >Affected versions include: > >- LISTSERV version 14.4, including LISTSERV Lite and HPO >- LISTSERV version 14.3, including LISTSERV Lite and HPO > >And possibly all prior versions of LISTSERV which are installed with the web >archive interface, which is currently the default installation behaviour. > >The vulnerabilities which have been fixed can, in the worst of cases, allow >a remote unauthenticated attacker to execute arbitrary code on the system >hosting the LISTSERV archive web interface. > >This issue has been resolved in the latest release of L-Soft LISTSERV >(version 14.5), which may be downloaded from: > >http://www.lsoft.com/download/listserv.asp >http://www.lsoft.com/download/listservlite.asp > >NGSSoftware are going to withhold details of this flaw for three months. >Full details will be published on the 3rd June 2006. This three month window >will allow users of L-Soft's LISTSERV the time needed to apply the patch >before the details are released to the general public. This reflects >NGSSoftware's approach to responsible disclosure. > >NGSSoftware Insight Security Research >http://www.ngssoftware.com >http://www.databasesecurity.com/ >http://www.nextgenss.com/ >+44(0)208 401 0070 > > > >************************************************************ >Karol K. Leuzarder [log in to unmask] >Senior Technical Programmer phone: 401-874-4965 >OIS/TOPS, 48 Tyler Hall fax: 401-789-4040 >University of Rhode Island >Kingston, RI 02881