[6094] in Kerberos
Re: Telnet Environment Vunerability
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Nov 1 17:17:19 1995
To: "Doug Engert" <DEEngert@anl.gov>
Cc: <HARTMANS@MIT.EDU>, <BASCH@LEHMAN.COM>, <RACKOW@MCS.ANL.GOV>,
kerberos@MIT.EDU
In-Reply-To: Your message of "Wed, 01 Nov 1995 09:15:24 CST."
<9511011516.AA06857@MIT.EDU>
Date: Wed, 01 Nov 1995 17:03:58 EST
From: Sam Hartman <hartmans@MIT.EDU>
>>>>> "Doug" == Doug Engert <DEEngert@anl.gov> writes:
Doug> In addition to the people you have sited for helping with
Doug> this problem, you should also mention "Richard Basch"
Doug> <basch@lehman.com> since he did send in a report to
Doug> krb5-bugs on October 18 stating:
Oops; I forgot to fix that up before sending out the memo.
Basically, the cronology of the krb5 patch is significantly more
complicated than I lead the reader to believe. Richard accidentally
included the telnet environment patch in a list of less sensative bugs he was reporting to krb5-bugs.
I applied something along the lines of a preliminary patch I
received from Mark Eichin to the source tree. Richard overwrote my
patch with a equivelent patch when he was checking in his telnet
changes. Then, later, several people made modifications to the code
to deal with environment variables as they came in. The patch that
was eventually released is basically Richard's patch, not mine.
The important thing to note is that Richard's original patch
to krb5-bugs is incomplete. If you got the telnet patch from that
list, you should still obtain the official environment variable patch
and apply it, as it deals with several additional situations.
--Sam
