[14751] in Kerberos
Re: Kerberos telnet and today's telnet vulnerability announcement
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Thu Jul 26 17:08:41 2001
From: jaltman@watsun.cc.columbia.edu (Jeffrey Altman)
Date: 26 Jul 2001 20:58:22 GMT
Message-ID: <9jq09e$44r$1@newsmaster.cc.columbia.edu>
To: kerberos@MIT.EDU
In article <20010726151439.B22964@sm2p1386swk.wdr.com>,
Nicolas Williams <Nicolas.Williams@ubsw.com> wrote:
: On Thu, Jul 26, 2001 at 11:44:56AM -0700, Booker C. Bense wrote:
: > On 24 Jul 2001, Ken Raeburn wrote:
: >
: > > Yes, it applies. Tom's working on a patch.
: > >
: >
: > - Is it likely to be much different from the FreeBSD patches?
: > (i.e. get rid of nfrontp and use output_data() ?)
:
: I can't speak for the MIT folk, BUT, FreeBSD has produced patches to the
: telnetd in their "port" of MIT krb5 v1.2.2, and it applies cleanly to
: plain MIT krb5 v1.2.2. So, unless MIT is working on a different angle
: for solving the problem, I don't see why their patch should have to be
: much different from the FreeBSD patch.
:
I think the patch that will be released will be fairly different
from the FreeBSD patch. The FreeBSD patch has a couple of
problems:
. it doesn't handle the transmission of urgent data properly
. it has the potential for stack overflows because of recursive
calls between netflush() and output_data()
Give MIT a few days to do this right. You can use the FreeBSD patch
in the meantime if you feel there is a significant need.
Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
kermit-support@kermit-project.org OpenSSL. SSH soon to follow.
