On Mon, Sep 27, 2004 at 01:17:47PM +0200, Milan Jurik wrote:
> Yes, it's time to look at the sources and find the truth.
This appears to have been addressed by the patch in DSA-070-1,
so you should be able to apply that to current sources with a small
amount of work.
Although the .diff.gz file has gone from Debian's mirrors you can
see a proposed patch in the original Bugtraq mail:
http://www.securityfocus.com/archive/1/203000
I hope that helps those who still run telnetd for whatever reason.
(From the advisory it suggests that Debian runs telnetd as its
own user, so it's not a remote root at least. Unless you have an
unpatched kernel or other hole available for exploitation).
Steve
--
