For those of us relatively new to running ListServ, and running it on a Solaris/Sparc box, would this "level" upgrade include downloading and reinstalling the common.tar.Z, or just the [os].tar.z? Kip On Fri, 5 May 2000, Eric Thomas wrote: > Date: Fri, 5 May 2000 19:33:58 +0200 > From: Eric Thomas <[log in to unmask]> > Reply-To: LISTSERV give-and-take forum <[log in to unmask]> > To: [log in to unmask] > Subject: SECURITY ADVISORY FROM L-SOFT > > ************************************************************************* > *************************** SECURITY ADVISORY *************************** > ************************************************************************* > > A security exposure has been discovered and fixed in LISTSERV and > LISTSERV Lite. L-Soft recommends that all affected users apply the 2000a > level set immediately. > > ------------------------------- ABSTRACT -------------------------------- > PRODUCTS AFFECTED: > > - LISTSERV version 1.8d (confirmed), including LISTSERV Lite. > > - LISTSERV version 1.8c (inferred), including LISTSERV Lite betas. > > - LISTSERV version 1.8b and older are NOT affected. > > - Note that support for version 1.8c (released January, 1997) was > discontinued March, 1999. No patches are available for version 1.8c. > > OPERATING SYSTEMS AFFECTED: > > - Windows NT/2000, unix (all vendors), OpenVMS AXP (confirmed). > > - Windows 95/98, OpenVMS VAX (inferred). > > - VM/ESA sites are NOT affected. > > EXPOSURE: > > Intruders may be able to gain non-interactive access to the system on > which LISTSERV is running. On a properly configured LISTSERV > installation, this access will be non-privileged. It may be possible for > the intruder to gain root access if one of the following is true: > > - LISTSERV executables were granted privileges over those that are > required and/or recommended for the particular operating system. > > - The operating system is not secure (for instance, key system files have > world write access because the system is installed on a FAT partition). > > SOLUTION: > > - Apply 2000a level set (see below). The problem cannot be circumvented. > > - [Windows NT/2000] Make sure your boot/system drive is formatted for > NTFS with suitable access control lists. > > - Reminder: L-Soft does not recommend running LISTSERV on Windows 95/98. > > RISK RATING: HIGH > > - Date vulnerability appeared in code stream: January, 1996. > > - Date of first reported exploit: April 29, 2000. > > - Exploit widely known within hacker community since: May 4, 2000. > > INCIDENT CHRONOLOGY: > > 2000-04-28 Initial report, exposure 1 (one site) > 2000-04-28 Exposure 1 determined to be innocuous; no emergency action > 2000-04-29 Initial report, exposure 2 (one site) > 2000-04-29 Emergency action initiated > 2000-04-29 Patch A1 ready (exposures 1 and 2) > 2000-04-29 A1 delivered to reporting site > 2000-04-30 A1 passed standard internal tests, ready for deployment > 2000-04-30 Exposure 3 discovered by L-Soft; deployment of A1 cancelled > 2000-05-01 Patch A2 ready (exposures 1, 2 and 3) > NOTE: A2 required rewrite of core routines, schedule full > live test before deployment! > 2000-05-01 A2 delivered to reporting site > 2000-05-02 A2 fails internal tests > 2000-05-02 Patch A3 ready (exposures 1, 2 and 3) > 2000-05-02 A3 delivered to reporting site > 2000-05-02 A3 passed standard internal tests, ready for live test > 2000-05-02 A3 live test starting [this is a 24h test] > 2000-05-02 A3 merged with 2000a level set > 2000-05-02 2000a kit generation starting > 2000-05-03 2000a kits ready for deployment > 2000-05-03 A3 passes live test, ready for deployment > 2000-05-03 Deployment postponed to 05/04 due to time of day > 2000-05-04 Deployment postponed to 05/05 due to I LOVE YOU virus emergency > 2000-05-05 2000a deployed > ---------------------------- END OF ABSTRACT ---------------------------- > > THE 2000a LEVEL SET > ------------------- > > The security patch was developed on top of the 2000a level set code base, > which was about to be released to customers. Merging the patch with 2000a > and expediting the release of the level set had the following advantages: > > 1. The patch did not need to be retrofitted to the 1999 code bases, which > shortened development time significantly given the size of the fix for > exposure 3. > > 2. L-Soft can perform live tests on the 2000a code base in house, but > would have had to enlist customer assistance for a 1999a live test, > which would have introduced additional delays. > > 3. The recent I LOVE YOU emergency makes it desirable to accelerate the > deployment of 2000a, which includes a new feature that can help fight > this kind of virus. > > 4. Being a level set, the patch is easier to fetch and install. There is > no risk of downloading a version of the patch for the wrong code base. > > The only drawback is that you are required to apply unrelated changes to > secure your system. L-Soft has been using the 2000a level set in > production since March and estimates that about 350 million messages have > been successfully delivered through this code base. > > The 2000a level set includes all known fixes up to March 3, 2000, and the > following between-release enhancements: > > - Support for a new keyword, "Attachments=", allowing attachments to be > filtered from mailing lists. Documentation for this new feature will be > released shortly, along with practical guidelines for filtering the I > LOVE YOU virus and its derivatives. > > - Support for multi-line substitutions in mail-merge jobs (previously > available from L-Soft support through a special patch). > > - Miscellaneous performance improvements and new performance-related > features for LISTSERV HPO. Documentation will follow shortly. > > APPLYING THE 2000a LEVEL SET > ---------------------------- > > Level sets are standard installation kits that replace the previous > installation kits on L-Soft's FTP and web servers. They can be used to > install a new copy of LISTSERV or upgrade an existing installation. A > level set is similar to a Windows NT CD-ROM with the latest service pack > pre-applied. > > To download the 2000a level set, simply go to L-Soft's web site (or to > FTP.LSOFT.COM) and download an evaluation copy of LISTSERV or LISTSERV > Lite, then follow the installation instructions for your operating > system. The kits can be found at: > > http://www.lsoft.com/download/default.asp?item=listserveval > > http://www.lsoft.com/products/default.asp?item=listserv_lite#download > > LICENSE KEY FOR THE 2000a LEVEL SET > ----------------------------------- > > The level set is a no-cost upgrade to customers licensed for version 1.8d > and will work with your existing 1.8d license key. > > The level set will NOT work with a 1.8c, 1.8b or older license key. > > SPECIAL NOTES > ------------- > > 1. Make sure to update ALL LISTSERV executables, including WA, lsv_amin, > lcmd, etc. > > 2. The 2000a level set for VM/ESA will be made available at a later date. > VM/ESA sites are not affected by the security vulnerability and do not > need to apply 2000a to secure their systems, so its delivery was not > rushed. The VM/ESA version uses a different software update mechanism, > which requires additional development work to release a level set. > > 3. The 2000a level set is only available for operating systems currently > supported by L-Soft. When browsing FTP.LSOFT.COM, you may find > installation kits for other operating systems, such as Ultrix or SunOS > 4.x, but these kits will be based on older versions and/or code bases. > L-Soft no longer has development machines for unsupported operating > systems and is not in a position to compile the 2000a level set for > these systems. > Kip Keil, DBA | [log in to unmask] | We all learn from history.... http://www.utahoutdoors.com | either by study, or by repetition. - Kip Keil, 1998