Merry Christmas from the FreeBSD Security Team

Ian Smith smithi at nimnet.asn.au
Sat Dec 24 05:57:03 UTC 2011


On Fri, 23 Dec 2011 09:34:45 -0800, Colin Percival wrote:
 > On 12/23/11 09:08, Tim Zingelman wrote:
 > > On Fri, 23 Dec 2011, FreeBSD Security Officer wrote:
 > >> Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd)
 > >> is a remote root vulnerability which is being actively exploited in the wild;
 > >> bugs really don't come any worse than this.  On the positive side, most people
 > >> have moved past telnet and on to SSH by now; but this is still not an issue we
 > >> could postpone until a more convenient time.
 > > 
 > > Is there any reason this does would not apply to telnetd from most other
 > > vendors?  In particular MIT Kerberos & heimdal?
 > 
 > It probably applies to everyone shipping BSD telnetd -- I notified the projects
 > I could think of, but I'm sure I missed a few.

OS/2 Warp?  Or do you figure IBM is big enough to look after itself? :)

On a less frivolous but probably too picky note, I guess it's obvious 
enough that in the case of named (and telnet, if not run from inetd), 
one needs to restart the server after patching as advised?

On behalf of Scrooges everywhere, thanks for these and all your work!

Solsticial cheers, Ian


More information about the freebsd-security mailing list