Critical LISTSERV Holes Patched

New versions of the popular e-mail list management server correct multiple code execution vulnerabilities.

E-mail list management vendor L-Soft on Thursday released a new version of its popular LISTSERV software to fix a range of "highly critical" security vulnerabilities.

In a security advisory, L-Soft International Inc. said the hole was discovered and patched in the LISTSERV Web interface.

Affected products include LISTSERV Maestro, LISTSERV HPO, LISTSERV Lite and the LISTSERV Free Edition, the company said. All users are urged to apply patches immediately.

LISTSERV, an automatic mailing list server developed in the mid-1980s, is the de facto standard for e-mail list management. The software lets users manage opt-in e-mail lists for the distribution of newsletters, announcements and discussion groups.

The flaws, which were reported by researchers at NGSS (Next Generation Security Software Ltd.), could allow malicious hackers to gain non-privileged access to the system on which the Web interface script is running.

Security alerts aggregator Secunia rates the issue as highly critical and warned that a successful exploit could cause the execution of arbitrary code or denial-of-service conditions.

The fixes have been included in LISTSERV version 14.3 level set 2005a. Patches and deployment instructions are available here.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.