1. Topic:
A denial of service attack has been fixed in in.telnetd.
2. Bug IDs fixed:
4560
3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures
4. Obsoleted by:
None
5. Conflicts with:
None
6. RPMs required:
Intel:
ftp://updates.Red Hat.com/6.0/i386/
telnet-
0.10-29.i386.rpm
Alpha:
ftp://updates.Red Hat.com/6.0/alpha
telnet-
0.10-29.alpha.rpm
SPARC:
ftp://updates.Red Hat.com/6.0/sparc
telnet-
0.10-29.sparc.rpm
Source:
ftp://updates.Red Hat.com/6.0/SRPMS
telnet-
0.10-29.src.rpm
Architecture neutral:
ftp://updates.Red Hat.com/6.0/noarch/
7. Problem description:
in.telnetd attempts to negotiate a compatible terminal type
between the local and remote host. By setting the TERM
environment variable before connecting, a remote user could
cause the system telnetd to open files it should not. Depending
on the TERM setting used, this could lead to denial of service
attacks.
Thanks go to Michal Zalewski and the Linux Security Audit team
for noting this vulnerability.
8. Solution:
For each RPM for your particular architecture, run:
rpm -Uvh filename
where filename is the name of the RPM.
Then, restart inetd, by running:
/etc/rc.d/init.d/inet restart
9. Verification:
MD5 sum Package Name
-------------------------------------------------------------------------
4360d47490f13d60b8737d28dc88825a i386/telnet-0.10-29.i386.rpm
90213fcdca41a3ed12ab7d92344e7286 alpha/telnet-0.10-29.alpha.rpm
277787dbc39dff8ea84d4b16dcb7a954 sparc/telnet-0.10-29.sparc.rpm
269783a0754d234f7bef0f4717a8dbc2 SRPMS/telnet-0.10-29.src.rpm
These packages are also PGP signed by Red Hat Inc. for security. Our
key is available at:
http://www.Red Hat.com/corp/contac
t.html
You can verify each package with the following command:
rpm --checksig filename
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp filename
10. References:
