A 14.5 LAK is required, as stated in the release notes. http://www.lsoft.com/manuals/1.8e/relnotes/LISTSERV14.5-Release-Notes.html Nathan At 03:32 PM 3/6/2006 -0500, Charlie Giannetto wrote: >Nathan, > > Do we need a new LAK for the new release or will the 14.4 LAK work? > >- Charlie > >On Mon, 6 Mar 2006, Nathan Brindle wrote: > >>If you have current maintenance, it's a free upgrade. >> >>Nathan >> >>At 11:47 AM 3/6/2006 -0500, Chris Mead wrote: >>>Hmm... in order to patch a "critical vulnerability" in LSofts software you >>>must pay for an upgrade. >>>~Chris >>> >>>-----Original Message----- >>>From: LISTSERV site administrators' forum >>>[mailto:[log in to unmask]] On Behalf Of Karol Leuzarder >>>Sent: Monday, March 06, 2006 10:30 AM >>>To: [log in to unmask] >>>Subject: Critical Risk Vulnerability in L-Soft Listserv >>>Date: Friday, March 3, 2006 4:56 PM -0800 >>>From: NGSSoftware Insight Security Research <[log in to unmask]> >>>To: [log in to unmask], [log in to unmask] >>>Subject: Critical Risk Vulnerability in L-Soft Listserv >>>Peter Winter-Smith of NGSSoftware has discovered a number of vulnerabilities >>>in L-Soft's LISTSERV list management system. The worst of these carries a >>>critical risk rating. >>>Affected versions include: >>>- LISTSERV version 14.4, including LISTSERV Lite and HPO >>>- LISTSERV version 14.3, including LISTSERV Lite and HPO >>>And possibly all prior versions of LISTSERV which are installed with the web >>>archive interface, which is currently the default installation behaviour. >>>The vulnerabilities which have been fixed can, in the worst of cases, allow >>>a remote unauthenticated attacker to execute arbitrary code on the system >>>hosting the LISTSERV archive web interface. >>>This issue has been resolved in the latest release of L-Soft LISTSERV >>>(version 14.5), which may be downloaded from: >>>http://www.lsoft.com/download/listserv.asp >>>http://www.lsoft.com/download/listservlite.asp >>>NGSSoftware are going to withhold details of this flaw for three months. >>>Full details will be published on the 3rd June 2006. This three month window >>>will allow users of L-Soft's LISTSERV the time needed to apply the patch >>>before the details are released to the general public. This reflects >>>NGSSoftware's approach to responsible disclosure. >>>NGSSoftware Insight Security Research >>>http://www.ngssoftware.com >>>http://www.databasesecurity.com/ >>>http://www.nextgenss.com/ >>>+44(0)208 401 0070 >>> >>>************************************************************ >>>Karol K. Leuzarder [log in to unmask] >>>Senior Technical Programmer phone: 401-874-4965 >>>OIS/TOPS, 48 Tyler Hall fax: 401-789-4040 >>>University of Rhode Island >>>Kingston, RI 02881