RH6.0: in.telnetd (RHSA-1999:029-01)
Posted by LinuxSecurity.com Team   
RedHat Linux A denial of service attack has been fixed in in.telnetd.
Red Hat, Inc. Security Advisory
Package in.telnetd

Synopsis Denial of service attack in in.telnetd

Advisory ID RHSA-1999:029-01

Issue Date 1999-08-19

Updated on

Keywords telnet telnetd

1. Topic:
A denial of service attack has been fixed in in.telnetd.

2. Bug IDs fixed:

3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures

4. Obsoleted by:

5. Conflicts with:

6. RPMs required:


ftp://updates.Red Hat.com/6.0/i386/

telnet- 0.10-29.i386.rpm


ftp://updates.Red Hat.com/6.0/alpha

telnet- 0.10-29.alpha.rpm


ftp://updates.Red Hat.com/6.0/sparc

telnet- 0.10-29.sparc.rpm


ftp://updates.Red Hat.com/6.0/SRPMS

telnet- 0.10-29.src.rpm

Architecture neutral:

ftp://updates.Red Hat.com/6.0/noarch/

7. Problem description:
in.telnetd attempts to negotiate a compatible terminal type between the local and remote host. By setting the TERM environment variable before connecting, a remote user could cause the system telnetd to open files it should not. Depending on the TERM setting used, this could lead to denial of service attacks.

Thanks go to Michal Zalewski and the Linux Security Audit team for noting this vulnerability.

8. Solution:
For each RPM for your particular architecture, run:

rpm -Uvh filename

where filename is the name of the RPM.

Then, restart inetd, by running:

/etc/rc.d/init.d/inet restart

9. Verification:

 MD5 sum                           Package Name


4360d47490f13d60b8737d28dc88825a  i386/telnet-0.10-29.i386.rpm

90213fcdca41a3ed12ab7d92344e7286  alpha/telnet-0.10-29.alpha.rpm

277787dbc39dff8ea84d4b16dcb7a954  sparc/telnet-0.10-29.sparc.rpm

269783a0754d234f7bef0f4717a8dbc2  SRPMS/telnet-0.10-29.src.rpm

These packages are also PGP signed by Red Hat Inc. for security. Our key is available at: http://www.Red Hat.com/corp/contac t.html

You can verify each package with the following command:

rpm --checksig filename

If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:

rpm --checksig --nopgp filename

10. References: