On Mon, Sep 27, 2004 at 12:59:28PM +0100, Steve Kemp wrote: > On Mon, Sep 27, 2004 at 01:17:47PM +0200, Milan Jurik wrote: > > > Yes, it's time to look at the sources and find the truth. > > This appears to have been addressed by the patch in DSA-070-1, > so you should be able to apply that to current sources with a small > amount of work. > > Although the .diff.gz file has gone from Debian's mirrors you can > see a proposed patch in the original Bugtraq mail: > > http://www.securityfocus.com/archive/1/203000 > > I hope that helps those who still run telnetd for whatever reason. > > (From the advisory it suggests that Debian runs telnetd as its > own user, so it's not a remote root at least. Unless you have an > unpatched kernel or other hole available for exploitation).
As far as we are aware, it is not a remote code execution exploit at all, but only a DoS. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273694 -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
