[8897] in bugtraq
Bug
daemon@ATHENA.MIT.EDU (Mr Spooty)
Sun Jan 3 14:38:26 1999
Date: Thu, 31 Dec 1998 09:28:36 -0000
Reply-To: Mr Spooty <spootyboy@HOTBOT.COM>
From: Mr Spooty <spootyboy@HOTBOT.COM>
To: BUGTRAQ@NETSPACE.ORG
I don't know if this has already been brought to people's attention
already, but if it hasn't, here you go:
We have discovered a serious security problem found in the Berkeley
telnet client. This bug only affects telnet clients which provide
support for the experimental telnet encryption option using the
Kerberos V4 authentication. All known, released versions of the BSD
telnet that support Kerberos V4 authentication and encryption are
affected by this bug.
It is recommended that all sites who use encrypted telnet in
conjuction with Kerberos V4 apply this patch immediately.
This patch, along with the domestic version of the most recently
released telnet sources from Berkeley, are available via anonymous ftp
from net-dist.mit.edu in the directory /pub/telnet.
The patch (which is also included in this message) can be found in the
file /pub/telnet/telnet.patch. The file /pub/telnet/telnet.patch.sig
contains a detached PGP signature of this file.
Users of NCSA Telnet should upgrade to the NCSA telnet 2.6.1d4, which
is available via from ftp.ncsa.uiuc.edu in the directory
/Mac/Telnet/Telnet2.6/prerelease/d4.
Customers of ftp Software with an encrypting telnet (provided in the
PC/TCP or OnNet packages) should call the ftp technical support line
at 1-800-282-4387 and ask for the "tn encrypt patch".
If you have an encrypting telnet from some other vendor, please
contact that vendor for information regarding how to get a fixed
version.
HotBot - Search smarter.
http://www.hotbot.com