Debian Bug report logs - #273694
telnetd DoS

version graph

Package: telnetd; Maintainer for telnetd is Guillem Jover <guillem@debian.org>; Source for telnetd is src:inetutils (PTS, buildd, popcon).

Reported by: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>

Date: Mon, 27 Sep 2004 17:48:01 UTC

Severity: grave

Tags: patch, sarge, security, sid, woody

Fixed in version netkit-telnet/0.17-26

Done: Robert Millan <rmh@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Robert Millan <rmh@debian.org>:
Bug#273694; Package telnetd. (full text, mbox, link).


Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
New Bug report received and forwarded. Copy sent to Robert Millan <rmh@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: telnetd said to have security hole (remote root)
Date: Mon, 27 Sep 2004 19:30:46 +0200
Package: telnetd
Severity: grave
Tags: security woody sarge sid

Telnetd is said[1][2] to have a Debian-specific remote root security hole,
in all suites, and Matt Zimmerman is said to have confirmed the issue for
woody.

--Jeroen

[1] http://lists.debian.org/debian-security/2004/09/msg00080.html
[2] http://www.securityfocus.com/archive/1/375743

-- 
Jeroen van Wolffelaar
jeroen@wolffelaar.nl
http://jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, Robert Millan <rmh@debian.org>:
Bug#273694; Package telnetd. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Robert Millan <rmh@debian.org>. (full text, mbox, link).


Message #10 received at 273694@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 273694@bugs.debian.org
Subject: Re: Bug#273694: telnetd said to have security hole (remote root)
Date: Mon, 27 Sep 2004 10:59:08 -0700
On Mon, Sep 27, 2004 at 07:30:46PM +0200, Jeroen van Wolffelaar wrote:

> Package: telnetd
> Severity: grave
> Tags: security woody sarge sid
> 
> Telnetd is said[1][2] to have a Debian-specific remote root security hole,
> in all suites, and Matt Zimmerman is said to have confirmed the issue for
> woody.

As far as we can tell, the issue is a DoS, and not in fact the old AYT bug
that Michal claims.  We have a patch and are awaiting a CAN assignment for
this bug.

In other words, no cause for panic.

-- 
 - mdz



Information forwarded to debian-bugs-dist@lists.debian.org, Robert Millan <rmh@debian.org>:
Bug#273694; Package telnetd. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Robert Millan <rmh@debian.org>. (full text, mbox, link).


Message #15 received at 273694@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: 273694@bugs.debian.org
Subject: Patch
Date: Mon, 27 Sep 2004 14:22:15 -0700
[Message part 1 (text/plain, inline)]
tags 273694 patch
thanks

Patch from Herbert Xu to fix the bug.

-- 
 - mdz
[telnetd-273694.diff (text/plain, attachment)]

Changed Bug title. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Tags added: patch Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#273694; Package telnetd. (full text, mbox, link).


Acknowledgement sent to Robert Millan <rmh@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #24 received at 273694@bugs.debian.org (full text, mbox, reply):

From: Robert Millan <rmh@debian.org>
To: Matt Zimmerman <mdz@debian.org>, 273694@bugs.debian.org
Subject: Re: Bug#273694: Patch
Date: Tue, 28 Sep 2004 00:31:04 +0200
On Mon, Sep 27, 2004 at 02:22:15PM -0700, Matt Zimmerman wrote:
> tags 273694 patch
> thanks
> 
> Patch from Herbert Xu to fix the bug.

Thanks.  Fixed in unstable.  Will you take care of woody/sarge?

-- 
 .''`.   Proudly running Debian GNU/kFreeBSD unstable/unreleased (on UFS2+S)
: :' :
`. `'    http://www.debian.org/ports/kfreebsd-gnu
  `-



Information forwarded to debian-bugs-dist@lists.debian.org, Robert Millan <rmh@debian.org>:
Bug#273694; Package telnetd. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Robert Millan <rmh@debian.org>. (full text, mbox, link).


Message #29 received at 273694@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: Robert Millan <rmh@debian.org>
Cc: 273694@bugs.debian.org
Subject: Re: Bug#273694: Patch
Date: Mon, 27 Sep 2004 15:55:29 -0700
On Tue, Sep 28, 2004 at 12:31:04AM +0200, Robert Millan wrote:

> On Mon, Sep 27, 2004 at 02:22:15PM -0700, Matt Zimmerman wrote:
> > tags 273694 patch
> > thanks
> > 
> > Patch from Herbert Xu to fix the bug.
> 
> Thanks.  Fixed in unstable.  Will you take care of woody/sarge?

woody, yes.  sarge will either need the fix from unstable, or a
proposed-updates upload from you.

-- 
 - mdz



Reply sent to Robert Millan <rmh@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug acknowledged by developer. (full text, mbox, link).


Message #34 received at 273694-close@bugs.debian.org (full text, mbox, reply):

From: Robert Millan <rmh@debian.org>
To: 273694-close@bugs.debian.org
Subject: Bug#273694: fixed in netkit-telnet 0.17-26
Date: Mon, 27 Sep 2004 18:47:05 -0400
Source: netkit-telnet
Source-Version: 0.17-26

We believe that the bug you reported is fixed in the latest version of
netkit-telnet, which is due to be installed in the Debian FTP archive:

netkit-telnet_0.17-26.diff.gz
  to pool/main/n/netkit-telnet/netkit-telnet_0.17-26.diff.gz
netkit-telnet_0.17-26.dsc
  to pool/main/n/netkit-telnet/netkit-telnet_0.17-26.dsc
telnet_0.17-26_i386.deb
  to pool/main/n/netkit-telnet/telnet_0.17-26_i386.deb
telnetd_0.17-26_i386.deb
  to pool/main/n/netkit-telnet/telnetd_0.17-26_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 273694@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert Millan <rmh@debian.org> (supplier of updated netkit-telnet package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 28 Sep 2004 00:22:59 +0200
Source: netkit-telnet
Binary: telnetd telnet
Architecture: source i386
Version: 0.17-26
Distribution: unstable
Urgency: high
Maintainer: Robert Millan <rmh@debian.org>
Changed-By: Robert Millan <rmh@debian.org>
Description: 
 telnet     - The telnet client.
 telnetd    - The telnet server.
Closes: 273694
Changes: 
 netkit-telnet (0.17-26) unstable; urgency=high
 .
   * telnetd/utility.c: Fix remote DOS hole (CAN-2004-0911). Thanks Herbert Xu.
     (Closes: #273694)
Files: 
 a4f1cf736c480d339911b6c8a8a191f1 589 net standard netkit-telnet_0.17-26.dsc
 bd782bc1a02ac832d5f66f0ffc4a356e 25188 net standard netkit-telnet_0.17-26.diff.gz
 7a102906bb5576c94f31758fb46224e4 63840 net standard telnet_0.17-26_i386.deb
 3f3fb892a4b322d967150bf263897ffa 40628 net optional telnetd_0.17-26_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBWJbmC19io6rUCv8RAholAJ90G1nWykTZcNTqiC6YqOtuBAWRxQCcCAP0
BauhZG7zC50VoFBug1VnQmU=
=usO9
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:44:45 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.