LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Critical Risk Vulnerability in L-Soft Listserv

Charlie Giannetto <[log in to unmask]>

Mon, 6 Mar 2006 15:32:59 -0500

TEXT/PLAIN (78 lines)

Nathan,

   Do we need a new LAK for the new release or will the 14.4 LAK work?

- Charlie

On Mon, 6 Mar 2006, Nathan Brindle wrote:

> If you have current maintenance, it's a free upgrade.
>
> Nathan
>
> At 11:47 AM 3/6/2006 -0500, Chris Mead wrote:
>> Hmm... in order to patch a "critical vulnerability" in LSofts software you
>> must pay for an upgrade.
>> 
>> ~Chris
>> 
>> 
>> -----Original Message-----
>> From: LISTSERV site administrators' forum
>> [mailto:[log in to unmask]] On Behalf Of Karol Leuzarder
>> Sent: Monday, March 06, 2006 10:30 AM
>> To: [log in to unmask]
>> Subject: Critical Risk Vulnerability in L-Soft Listserv
>> 
>> Date: Friday, March 3, 2006 4:56 PM -0800
>> From: NGSSoftware Insight Security Research <[log in to unmask]>
>> To: [log in to unmask], [log in to unmask]
>> Subject: Critical Risk Vulnerability in L-Soft Listserv
>> 
>> Peter Winter-Smith of NGSSoftware has discovered a number of 
>> vulnerabilities
>> in L-Soft's LISTSERV list management system. The worst of these carries a
>> critical risk rating.
>> 
>> Affected versions include:
>> 
>> - LISTSERV version 14.4, including LISTSERV Lite and HPO
>> - LISTSERV version 14.3, including LISTSERV Lite and HPO
>> 
>> And possibly all prior versions of LISTSERV which are installed with the 
>> web
>> archive interface, which is currently the default installation behaviour.
>> 
>> The vulnerabilities which have been fixed can, in the worst of cases, allow
>> a remote unauthenticated attacker to execute arbitrary code on the system
>> hosting the LISTSERV archive web interface.
>> 
>> This issue has been resolved in the latest release of L-Soft LISTSERV
>> (version 14.5), which may be downloaded from:
>> 
>> http://www.lsoft.com/download/listserv.asp
>> http://www.lsoft.com/download/listservlite.asp
>> 
>> NGSSoftware are going to withhold details of this flaw for three months.
>> Full details will be published on the 3rd June 2006. This three month 
>> window
>> will allow users of L-Soft's LISTSERV the time needed to apply the patch
>> before the details are released to the general public. This reflects
>> NGSSoftware's approach to responsible disclosure.
>> 
>> NGSSoftware Insight Security Research
>> http://www.ngssoftware.com
>> http://www.databasesecurity.com/
>> http://www.nextgenss.com/
>> +44(0)208 401 0070
>> 
>> 
>> 
>> ************************************************************
>> Karol K. Leuzarder              [log in to unmask]
>> Senior Technical Programmer     phone:  401-874-4965
>> OIS/TOPS, 48 Tyler Hall         fax:    401-789-4040
>> University of Rhode Island
>> Kingston, RI    02881
>

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM