Overview
Several buffer overflow vulnerabilities have been discovered in LISTSERV. These vulnerabilities could allow a remote attacker to execute arbitrary code on an affected system.
Description
L-Soft's LISTSERV is an email list management software package. It includes a Web Archive and Administration (WA) interface that allows users to browse and search list archives, and list owners and site maintainers to perform a number of management tasks. Several buffer overflow errors were discovered in the WA CGI component. These vulnerabilities are reported to affect LISTSERV versions 14.3 and 14.4, including LISTSERV Lite and HPO on all supported platforms. The specific nature of the underlying vulnerabilities is unknown at this time, however the reporter has stated that additional technical details will be publicly released on 2006-06-03. |
Impact
A remote attacker may be able to execute code of their choosing with the permissions of the WA CGI program. |
Solution
Upgrade L-Soft has released version 14.5 of LISTSERV and LISTSERV Lite that contains a fix for these vulnerabilities. For more information please see the "WA Security Alert" featured in the software release notes. Users of these products are strongly urged to upgrade to this fixed version of the software. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Peter Winter-Smith of Next Generation Security Software Research reported this vulnerability.
This document was written by Chad R Dougherty.
Other Information
| CVE IDs: | CVE-2006-1044 |
| Severity Metric: | 18.28 |
| Date Public: | 2006-03-03 |
| Date First Published: | 2006-03-09 |
| Date Last Updated: | 2006-03-09 16:44 UTC |
| Document Revision: | 11 |