From owner-freebsd-questions  Tue Aug 14  0:41:27 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from wantadilla.lemis.com (wantadilla.lemis.com [192.109.197.80])
	by hub.freebsd.org (Postfix) with ESMTP id E673D37B403
	for <freebsd-questions@FreeBSD.ORG>; Tue, 14 Aug 2001 00:41:18 -0700 (PDT)
	(envelope-from grog@lemis.com)
Received: by wantadilla.lemis.com (Postfix, from userid 1004)
	id F148D6ACBF; Tue, 14 Aug 2001 17:11:50 +0930 (CST)
Date: Tue, 14 Aug 2001 17:11:50 +0930
From: Greg Lehey <grog@FreeBSD.org>
To: Ryan Thompson <ryan@sasknow.com>
Cc: William Nunn <yorkie123@hotmail.com>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: Remotely Exploitable telnetd bug
Message-ID: <20010814171150.S61413@wantadilla.lemis.com>
References: <OE20Sx9x7BEH3PaydnL0000c0db@hotmail.com> <Pine.BSF.4.21.0108140120340.24670-100000@ren.sasknow.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0108140120340.24670-100000@ren.sasknow.com>; from ryan@sasknow.com on Tue, Aug 14, 2001 at 01:28:15AM -0600
Organization: The FreeBSD Project
Phone: +61-8-8388-8286
Fax: +61-8-8388-8725
Mobile: +61-418-838-708
WWW-Home-Page: http://www.FreeBSD.org/
X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF  13 24 52 F8 6D A4 95 EF
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Tuesday, 14 August 2001 at  1:28:15 -0600, Ryan Thompson wrote:
> William Nunn wrote to freebsd-questions@FreeBSD.ORG:
>
>> I'm planning on buying freebsd, but I saw the news about the bug on
>> the site. As of today Aug 14th, If I buy a new jewel case or boxed
>> distribution, will it include that security flaw. I know there is a
>> patch for it, but I'm interested to know if i'm spared of it.
>
> As Kris has already pointed out, the current (4.3-RELEASE) CDs still
> contain the vulnerability. In your shoes, you have three options to squash
> the bug:
>
> 1) Wait for the new CDs to ship (a small ways away yet)
> 2) Get the current 4.3-RELEASE CDs, and install FreeBSD. Then
>    patch your system with the posted fixes.
> 3) Get 4.3 (on CD, downloaded, etc), and use cvsup to bring
>    your system to the latest -STABLE version (which, right now,
>    I think, is a 4.4 prerealease, meaning the latest stability
>    and security issues are already in place).

The best alternative is: don't use telnet.  Even with this fix, the
protocol is inherently insecure.

Greg
--
When replying to this message, please copy the original recipients.
If you don't, I may ignore the reply.
For more information, see http://www.lemis.com/questions.html
See complete headers for address and phone numbers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message