Mon, 6 Mar 2006 15:32:59 -0500
|
Nathan,
Do we need a new LAK for the new release or will the 14.4 LAK work?
- Charlie
On Mon, 6 Mar 2006, Nathan Brindle wrote:
> If you have current maintenance, it's a free upgrade.
>
> Nathan
>
> At 11:47 AM 3/6/2006 -0500, Chris Mead wrote:
>> Hmm... in order to patch a "critical vulnerability" in LSofts software you
>> must pay for an upgrade.
>>
>> ~Chris
>>
>>
>> -----Original Message-----
>> From: LISTSERV site administrators' forum
>> [mailto:[log in to unmask]] On Behalf Of Karol Leuzarder
>> Sent: Monday, March 06, 2006 10:30 AM
>> To: [log in to unmask]
>> Subject: Critical Risk Vulnerability in L-Soft Listserv
>>
>> Date: Friday, March 3, 2006 4:56 PM -0800
>> From: NGSSoftware Insight Security Research <[log in to unmask]>
>> To: [log in to unmask], [log in to unmask]
>> Subject: Critical Risk Vulnerability in L-Soft Listserv
>>
>> Peter Winter-Smith of NGSSoftware has discovered a number of
>> vulnerabilities
>> in L-Soft's LISTSERV list management system. The worst of these carries a
>> critical risk rating.
>>
>> Affected versions include:
>>
>> - LISTSERV version 14.4, including LISTSERV Lite and HPO
>> - LISTSERV version 14.3, including LISTSERV Lite and HPO
>>
>> And possibly all prior versions of LISTSERV which are installed with the
>> web
>> archive interface, which is currently the default installation behaviour.
>>
>> The vulnerabilities which have been fixed can, in the worst of cases, allow
>> a remote unauthenticated attacker to execute arbitrary code on the system
>> hosting the LISTSERV archive web interface.
>>
>> This issue has been resolved in the latest release of L-Soft LISTSERV
>> (version 14.5), which may be downloaded from:
>>
>> http://www.lsoft.com/download/listserv.asp
>> http://www.lsoft.com/download/listservlite.asp
>>
>> NGSSoftware are going to withhold details of this flaw for three months.
>> Full details will be published on the 3rd June 2006. This three month
>> window
>> will allow users of L-Soft's LISTSERV the time needed to apply the patch
>> before the details are released to the general public. This reflects
>> NGSSoftware's approach to responsible disclosure.
>>
>> NGSSoftware Insight Security Research
>> http://www.ngssoftware.com
>> http://www.databasesecurity.com/
>> http://www.nextgenss.com/
>> +44(0)208 401 0070
>>
>>
>>
>> ************************************************************
>> Karol K. Leuzarder [log in to unmask]
>> Senior Technical Programmer phone: 401-874-4965
>> OIS/TOPS, 48 Tyler Hall fax: 401-789-4040
>> University of Rhode Island
>> Kingston, RI 02881
>
|
|
|