In article <[EMAIL PROTECTED]>,
Stephen Masterman <[EMAIL PROTECTED]> wrote:
>> Debian/GNU Linux systems may be vulnerable if
>> NetKit-B-0.6 is installed. Until the official
>> fix-kit is available for Debian/GNU Linux, system
>> administrators of Debian systems are advised to
>> follow guidelines under Other Linux Distributions
>> section.
>
>Anyone have any more comments about this? There is no package called NetKit
>that I know of, I'm just curious if the developers have anything to say?
The debian box I checked had all the netkit bugs in it, every last little
one except for one - the telnetd environment bug.
I've no idea what Debian has chosen to rename netkit as in its internal
packaging system, but at minimum you want to replace
o rlogin (TERM bug - present in all commercial systems I've
tried so ask vendors for a fix too)
o talkd (DNS spoofing flash bug, also spoof scribble)
Note: the rlogin bug requires an account to exploit
o rdist IF you are running it setuid (buffer overrun as
seems traditional in older 4.x BSD derived code)
Alan
--
--------------------------------.----------------------------------------------
UKUU free UUCP Project Swansea | Alan Cox, <[EMAIL PROTECTED]>
+44 1792 422028 (Cabletel) | Custom Linux Software Projects.
Sonix 33.6K 24x7 | Linux Consultancy. Linux Networking.
