[928] in Kerberos_V5_Development
[David Borman: security bugfix for telnet: rev 2]
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Mon Oct 23 14:11:24 1995
Date: Mon, 23 Oct 1995 14:11:11 -0400
From: Theodore Ts'o <tytso@MIT.EDU>
To: krbdev@MIT.EDU
Cc: dab@cray.com
FYI.
Sam, did you use Dave's patches to fix telnet, or did we do our own? I
wasn't really impressed with his idea to just clean out all of the
offending environment variables, since on some systems LD_LIBRARY_PATH
might be required, and passed by /etc/inetd for all we know. Filtering
it when doing the telnet options negotiation seemed like the better path
to take, anyway.
- Ted
------- Forwarded Message
ESMTP id KAA00176; Mon, 23 Oct 1995 10:26:36 -0500
3; Mon, 23 Oct 1995 10:26:35 -0500
From: David Borman <dab@cray.com>
Date: Mon, 23 Oct 1995 10:26:33 -0500
To: tytso@MIT.EDU
Subject: security bugfix for telnet: rev 2
Cc: ftp-linux@tsx-11.mit.edu
Ted,
Well, in my haste to fix telnetd, I screwed up some strcmp() calls,
which caused not just the offending environment variables to be
removed, but the entire environment to be stripped out before
/bin/login is execed. I've dropped off a new archive in:
tsx-11.mit.edu:incoming/telnet.95.10.23.tar.Z
to replace the 95.10.19 archive that I dropped of at the end of
last week.
My apologies.
-David Borman, dab@cray.com
------- End Forwarded Message
