For those of us relatively new to running ListServ, and running it on a
Solaris/Sparc box, would this "level" upgrade include downloading and
reinstalling the common.tar.Z, or just the [os].tar.z?
Kip
On Fri, 5 May 2000, Eric Thomas wrote:
> Date: Fri, 5 May 2000 19:33:58 +0200
> From: Eric Thomas <[log in to unmask]>
> Reply-To: LISTSERV give-and-take forum <[log in to unmask]>
> To: [log in to unmask]
> Subject: SECURITY ADVISORY FROM L-SOFT
>
> *************************************************************************
> *************************** SECURITY ADVISORY ***************************
> *************************************************************************
>
> A security exposure has been discovered and fixed in LISTSERV and
> LISTSERV Lite. L-Soft recommends that all affected users apply the 2000a
> level set immediately.
>
> ------------------------------- ABSTRACT --------------------------------
> PRODUCTS AFFECTED:
>
> - LISTSERV version 1.8d (confirmed), including LISTSERV Lite.
>
> - LISTSERV version 1.8c (inferred), including LISTSERV Lite betas.
>
> - LISTSERV version 1.8b and older are NOT affected.
>
> - Note that support for version 1.8c (released January, 1997) was
> discontinued March, 1999. No patches are available for version 1.8c.
>
> OPERATING SYSTEMS AFFECTED:
>
> - Windows NT/2000, unix (all vendors), OpenVMS AXP (confirmed).
>
> - Windows 95/98, OpenVMS VAX (inferred).
>
> - VM/ESA sites are NOT affected.
>
> EXPOSURE:
>
> Intruders may be able to gain non-interactive access to the system on
> which LISTSERV is running. On a properly configured LISTSERV
> installation, this access will be non-privileged. It may be possible for
> the intruder to gain root access if one of the following is true:
>
> - LISTSERV executables were granted privileges over those that are
> required and/or recommended for the particular operating system.
>
> - The operating system is not secure (for instance, key system files have
> world write access because the system is installed on a FAT partition).
>
> SOLUTION:
>
> - Apply 2000a level set (see below). The problem cannot be circumvented.
>
> - [Windows NT/2000] Make sure your boot/system drive is formatted for
> NTFS with suitable access control lists.
>
> - Reminder: L-Soft does not recommend running LISTSERV on Windows 95/98.
>
> RISK RATING: HIGH
>
> - Date vulnerability appeared in code stream: January, 1996.
>
> - Date of first reported exploit: April 29, 2000.
>
> - Exploit widely known within hacker community since: May 4, 2000.
>
> INCIDENT CHRONOLOGY:
>
> 2000-04-28 Initial report, exposure 1 (one site)
> 2000-04-28 Exposure 1 determined to be innocuous; no emergency action
> 2000-04-29 Initial report, exposure 2 (one site)
> 2000-04-29 Emergency action initiated
> 2000-04-29 Patch A1 ready (exposures 1 and 2)
> 2000-04-29 A1 delivered to reporting site
> 2000-04-30 A1 passed standard internal tests, ready for deployment
> 2000-04-30 Exposure 3 discovered by L-Soft; deployment of A1 cancelled
> 2000-05-01 Patch A2 ready (exposures 1, 2 and 3)
> NOTE: A2 required rewrite of core routines, schedule full
> live test before deployment!
> 2000-05-01 A2 delivered to reporting site
> 2000-05-02 A2 fails internal tests
> 2000-05-02 Patch A3 ready (exposures 1, 2 and 3)
> 2000-05-02 A3 delivered to reporting site
> 2000-05-02 A3 passed standard internal tests, ready for live test
> 2000-05-02 A3 live test starting [this is a 24h test]
> 2000-05-02 A3 merged with 2000a level set
> 2000-05-02 2000a kit generation starting
> 2000-05-03 2000a kits ready for deployment
> 2000-05-03 A3 passes live test, ready for deployment
> 2000-05-03 Deployment postponed to 05/04 due to time of day
> 2000-05-04 Deployment postponed to 05/05 due to I LOVE YOU virus emergency
> 2000-05-05 2000a deployed
> ---------------------------- END OF ABSTRACT ----------------------------
>
> THE 2000a LEVEL SET
> -------------------
>
> The security patch was developed on top of the 2000a level set code base,
> which was about to be released to customers. Merging the patch with 2000a
> and expediting the release of the level set had the following advantages:
>
> 1. The patch did not need to be retrofitted to the 1999 code bases, which
> shortened development time significantly given the size of the fix for
> exposure 3.
>
> 2. L-Soft can perform live tests on the 2000a code base in house, but
> would have had to enlist customer assistance for a 1999a live test,
> which would have introduced additional delays.
>
> 3. The recent I LOVE YOU emergency makes it desirable to accelerate the
> deployment of 2000a, which includes a new feature that can help fight
> this kind of virus.
>
> 4. Being a level set, the patch is easier to fetch and install. There is
> no risk of downloading a version of the patch for the wrong code base.
>
> The only drawback is that you are required to apply unrelated changes to
> secure your system. L-Soft has been using the 2000a level set in
> production since March and estimates that about 350 million messages have
> been successfully delivered through this code base.
>
> The 2000a level set includes all known fixes up to March 3, 2000, and the
> following between-release enhancements:
>
> - Support for a new keyword, "Attachments=", allowing attachments to be
> filtered from mailing lists. Documentation for this new feature will be
> released shortly, along with practical guidelines for filtering the I
> LOVE YOU virus and its derivatives.
>
> - Support for multi-line substitutions in mail-merge jobs (previously
> available from L-Soft support through a special patch).
>
> - Miscellaneous performance improvements and new performance-related
> features for LISTSERV HPO. Documentation will follow shortly.
>
> APPLYING THE 2000a LEVEL SET
> ----------------------------
>
> Level sets are standard installation kits that replace the previous
> installation kits on L-Soft's FTP and web servers. They can be used to
> install a new copy of LISTSERV or upgrade an existing installation. A
> level set is similar to a Windows NT CD-ROM with the latest service pack
> pre-applied.
>
> To download the 2000a level set, simply go to L-Soft's web site (or to
> FTP.LSOFT.COM) and download an evaluation copy of LISTSERV or LISTSERV
> Lite, then follow the installation instructions for your operating
> system. The kits can be found at:
>
> http://www.lsoft.com/download/default.asp?item=listserveval
>
> http://www.lsoft.com/products/default.asp?item=listserv_lite#download
>
> LICENSE KEY FOR THE 2000a LEVEL SET
> -----------------------------------
>
> The level set is a no-cost upgrade to customers licensed for version 1.8d
> and will work with your existing 1.8d license key.
>
> The level set will NOT work with a 1.8c, 1.8b or older license key.
>
> SPECIAL NOTES
> -------------
>
> 1. Make sure to update ALL LISTSERV executables, including WA, lsv_amin,
> lcmd, etc.
>
> 2. The 2000a level set for VM/ESA will be made available at a later date.
> VM/ESA sites are not affected by the security vulnerability and do not
> need to apply 2000a to secure their systems, so its delivery was not
> rushed. The VM/ESA version uses a different software update mechanism,
> which requires additional development work to release a level set.
>
> 3. The 2000a level set is only available for operating systems currently
> supported by L-Soft. When browsing FTP.LSOFT.COM, you may find
> installation kits for other operating systems, such as Ultrix or SunOS
> 4.x, but these kits will be based on older versions and/or code bases.
> L-Soft no longer has development machines for unsupported operating
> systems and is not in a position to compile the 2000a level set for
> these systems.
>
Kip Keil, DBA |
[log in to unmask] | We all learn from history....
http://www.utahoutdoors.com | either by study, or by repetition.
- Kip Keil, 1998
|