I've updated the version of inetutils in cygwin/latest to 1.3.2-23. This is a security update. It solves the problem described as
CERTŪ Advisory CA-2001-21 Buffer Overflow in telnetd See http://www.cert.org/advisories/CA-2001-21.html. An overflowable buffer was found in the version of telnetd included in the Cygwin net distribution. Due to incorrect bounds checking of data buffered for output to the remote client, an attacker can cause the telnetd process to overflow the buffer and crash, or execute arbitrary code as the user running telnetd, usually SYSTEM. A valid user account and password is not required to exploit this vulnerability, only the ability to connect to a telnetd server. This version also containes the so far unannounced fixes from versions 1.3.2-21 and 1.3.2-22: - In inetd, don't call AllocConsole on 9x/Me. This results in not opening an extra DOS window when starting some native console applications. - rlogin used the wrong (old BSD) technique to evaluate the speed to send to rlogind due to a BSD centric precompiler directive. This could lead to a crash. ========================================================================= IMPORTANT NOTE: - When updating inetutils, take care that inetd.exe and subsequent processes don't run anymore. ========================================================================= To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com web page. This downloads setup.exe to your system. Run setup and answer all of the questions. Note that if this is the first time that you've run the new GUI version of setup, it will currently download the whole cygwin net release again. After this point it will only download what is needed. If you have questions or comments, please send them to the Cygwin mailing list at: [EMAIL PROTECTED] . I would appreciate if you would use this mailing list rather than emailing me directly. This includes ideas and comments about the setup utility or Cygwin in general. If you want to make a point or ask a question the Cygwin mailing list is the appropriate place. *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe to the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: [EMAIL PROTECTED] -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:[EMAIL PROTECTED] Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
