|Main Archive Page > Month Archives > oss-security archives|
On 12/25/2011 10:14 AM, Florian Weimer wrote:
> This is just a heads-up: CVE-2011-4862, a pre-authentication buffer
> overflow in telnetd recently fixed by FreeBSD is not BSD-specific. It
> seems to have been added at MIT when the BSD telnetd was Kerberized,
> and it ended up in the Heimdal recryptofication of Kerberos (from
> where FreeBSD got it) and later in GNU inetutils. I have reproduced a
> pre-authentication segfault with both versions (as shipped by Debian).
> The telnetd from netkit does not appear to be affected.
Good write up at:
-- -Kurt Seifried / Red Hat Security Response Team