Description of the changes for the 2000a "level set" release Version 1.8d of LISTSERV(R) ------------------------------------------------------------ Copyright 2000 L-Soft international, Inc. 5 May 2000 THE 2000a LEVEL SET ------------------- The 2000a level set includes all known fixes and patches up to March 3, 2000, and the following between-release enhancements: - The security fix mentioned in the 05/05 advisory posted to LSTSRV-L, LSTSRV-M, etc. - Support for a new keyword, "Attachments=", allowing attachments to be filtered from mailing lists. - Support for multi-line substitutions in mail-merge jobs (previously available from L-Soft support through a special patch). - Miscellaneous performance improvements and new performance-related features for LISTSERV HPO. ***************************** * Fix for security exposure * ***************************** The security exposure mentioned in the advisory posted to LSTSRV-L, LSTSRV-M, and other L-Soft support lists on 5 May 2000 has been fixed in LISTSERV and LISTSERV Lite. L-Soft recommends that all affected users apply the 2000a level set immediately. ****************************************** * New "Attachments=" list header keyword * ****************************************** LISTSERV 1.8d kits dated after 2 May 2000 include a list-owner- configurable message attachment filter. This feature allows you to control the posting of various types of MIME attachments (images, audio, etc.) to your lists. The basic syntax is: Attachments= Yes | No[,Filter] | [,Filter] The options are: Attachments= Yes : All types of attachments are allowed to be posted to the list (the default). Note however that other configuration options may still disallow the posting of certain attachments, and that "Attachments= Yes" does not override them. For instance, if you have "Language= NoHTML", setting "Attachments= Yes" does not override the Language= setting. Or if you have "Sizelim=" set to a value that precludes a file of x number of lines from being posted to the list, setting "Attachments= Yes" will not override the Sizelim= setting if the message with its attachment exceeds the number of lines specified by Sizelim=. Attachments= No : All types of attachments are disallowed, other than plain text (always allowed) and HTML text (which is controlled exculsively by the "Language= NoHTML" keyword setting). With "Attachments= No", LISTSERV rejects messages containing attachments and bounces them back to the poster. Attachments= No,Filter : Same as "Attachments= No", except that LISTSERV simply removes the unwanted material from the message and processes it instead of rejecting it out of hand. The removal of material is a silent operation, ie, the poster is not notified that the attachment was discarded. It is also possible to allow certain MIME types to be passed through to the list while rejecting or filtering all others. For instance, Attachments= image,application/*msword allows only the specified attachment types and rejects everything else. If you don't want to reject messages that contain other types of attachments, but just want to remove all other types of attachments, you add the ",Filter" parameter at the end of the line--ie, Attachments= image,application/*msword,Filter This means, "Allow all image and application/*msword attachments, and strip all other attachments". Again, note that plain text ("Content- Type: text/plain") is always allowed and does not need to be included in the list of allowed attachment types. Likewise, HTML text is controlled exclusively by the "Language= NoHTML" keyword setting. Other text subtypes are, however, controlled by "Attachments=", so they need to be listed if you intend to allow them. Note carefully that simply coding something like "Attachments= image" will not necessarily allow all image files through. This is highly dependent on the client being used by the poster. For instance, if your client attaches all binary files as "Content-Type= application/octet- stream", regardless of whether a given binary is (for instance) an executable image, a Word file, or a compressed archive, and you send a JPEG to a list with "Attachments= image" set in the header, it will be rejected since the image does not have a "Content-Type: image" tag. Specifically this appears to be the case with Eudora 3.x but may not be limited to that particular client. Note also that attachments sent by default installations of Microsoft Outlook cannot be blocked by LISTSERV as they do not follow MIME standards (at least not up to and including Outlook 97; this writer has not installed Outlook 2000). By default Outlook sends attachments as imbedded uuencoded files and does not use MIME Content-Type: headers unless you change this in the Outlook user profile. The rejection message sent by LISTSERV when ",Filter" is not specified is found in the BAD_ATTACHMENT mail template form (see chapter 9 for information on LISTSERV's mail templates). Note that the BAD_ATTACHMENT template form is a linear template and as such does not allow text formatting commands to be used. The reason HTML text is not subject to "Attachments=" filtering is to allow you to reject (bounce) messages with attachments, while silently suppressing HTML text in multi-part messages which also contain a plain-text alternative. Some mail programs send both HTML and plain- text versions of messages, and, even if you do not want HTML text on your list, there is little point in keeping out people who use it (who are often new to the Internet and aren't aware that their mail programs are sending HTML text) when you can simply remove the HTML part. At the same time, you may want to reject postings containing images out of hand, rather than removing the images and continuing. The same applies to Exchange attachments, which are filtered by default (see "Language= Exchange"). Practical Guidelines for defence against ILOVEYOU and derivative virii ---------------------------------------------------------------------- With the release of the new Attachments= list header keyword, it is now possible to reject VBS virii such as the recent ILOVEYOU and its "copycat" derivatives by simply setting Attachments= No in the list header. As documented above, this setting blocks all MIME attachments and will definitely block VBS virii . ILOVEYOU was sent as an application/octet-stream attachment, so if your list depends on allowing (for instance) images to be passed through it, you would probably want to code the Attachments= keyword setting as Attachments= image with the caveat noted above for mail clients that send everything as an application/octet-stream, of course. If you need to pass different MIME types then you simply need to code the keyword setting accordingly. It is unlikely that you would want to simply filter a VBS virus since the "body" of the message is typically unimportant and generated by the virus in any case. It is more useful to bounce the message back to the originator if only as a warning that he may have contracted the virus. *********************************************************** * Support for multi-line substitutions in mail-merge jobs * *********************************************************** (This functionality was previously available from L-Soft support through a special patch.) Originally, data for substitutions into MM variables could not contain CRLF as part of the data contents. Upon request from several customers this was altered so that arbitrarily long data extracted from a DBMS is now allowed to contain CRLF within the data. Please note however that LISTSERV's internal data buffer for holding such data remains at 4096 bytes. Thus data elements exceeding this size will continue to be truncated. The internal data buffer size is not user configurable as it is determined at compile time. Note also that this enhancement does not apply to 'External data' mail-merge (*XDFN statements) which may not contain CRLF. L-Soft continues to recommend that large variable data inserts are best implemented as conditional blocks. ************************************ * Enhancements for the HPO version * ************************************ The following configuration variables have been added, targeted primarily at sites running LISTSERV Classic HPO with extremely large lists. - ADD_ALWAYS_HERE=1: all ADD commands are treated as ADDHERE. This configuration variable should be used only if the site has no peered lists. - ADD_NO_WILDCARD_LOOKUP=1: when executing an ADD with a wildcard for the name, LISTSERV will not attempt to look up the person's name in the SIGNUP files. This configuration variable should be used only on servers where subscriptions are automated via a script and list owners are never going to manually use the wildcard option. The operations in question have been sped up for HPO licenses even without setting these options. ADD becomes ADDHERE if the list is not peered (bypassing a lot of code), a function call in service area lookup which was very slow on non-VM systems was replaced with something faster, and even under Classic LISTSERV will no longer record 'No Name Available' entries in the SIGNUP files. This in turn avoids growing huge SIGNUP files that contain no useful information. Note that administrators should not worry if, after updating LISTSERV, many SIGNUP entries are deleted when the server is restarted the first time. There is code to remove existing 'No Name Available' entries for efficiency. Additionally, the default for the site configuration variable FIOC_MAXFILE (used for cache tuning) has been changed from 8192 to 1024. As a result, LISTSERV will not attempt to cache lists larger than 10k subscribers. This will not negatively affect perfformance on smaller sites but it will make a big difference for sites running extremely large lists. ******************************** * APPLYING THE 2000a LEVEL SET * ******************************** Level sets are standard installation kits that replace the previous installation kits on L-Soft's FTP and web servers. They can be used to install a new copy of LISTSERV or upgrade an existing installation. A level set is similar to a Windows NT CD-ROM with the latest service pack pre-applied. To download the 2000a level set, simply go to L-Soft's web site (or to FTP.LSOFT.COM) and download an evaluation copy of LISTSERV or LISTSERV Lite, then follow the installation instructions for your operating system. The kits can be found at: http://www.lsoft.com/download/default.asp?item=listserveval http://www.lsoft.com/products/default.asp?item=listserv_lite#download LICENSE KEY FOR THE 2000a LEVEL SET ----------------------------------- The level set is a no-cost upgrade to customers licensed for version 1.8d and will work with your existing 1.8d license key. The level set will NOT work with a 1.8c, 1.8b or older license key. SPECIAL NOTES ------------- 1. Make sure to update ALL LISTSERV executables, including WA, lsv_amin, lcmd, etc. Unix sites need to be sure to download both common.tar.Z and the `uname`.tar.Z for their operating system. 2. The 2000a level set for VM/ESA will be made available at a later date. VM/ESA sites are not affected by the security vulnerability and do not need to apply 2000a to secure their systems, so its delivery was not rushed. The VM/ESA version uses a different software update mechanism, which requires additional development work to release a level set. 3. The 2000a level set is only available for operating systems currently supported by L-Soft. When browsing FTP.LSOFT.COM, you may find installation kits for other operating systems, such as Ultrix or SunOS 4.x, but these kits will be based on older versions and/or code bases. L-Soft no longer has development systems for unsupported operating systems and is not in a position to compile the 2000a level set for these systems.