From: Slackware Security Team <security@slackware.com>
To: slackware-security@bob.slackware.com
Subject: [slackware-security] netkit-telnet buffer overflow patched
Date: Thu, 9 Aug 2001 23:40:51 -0700 (PDT)
An exploitable overflow has been found in the telnetd daemon contained in
Slackware's tcpip1 package. More information about the problem may be
found here: http://www.securityfocus.com/archive/1/203000
We urge all Slackware users to upgrade to a patched in.telnetd as soon as
possible. Upgraded tcpip1.tgz packages as well as telnetd.tgz packages
containing only the fix have been prepared for Slackware 7.1 and 8.0.
WHERE TO FIND THE NEW PACKAGES:
-------------------------------
Updated tcpip1 package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/tcpip1.tgz
Updated tcpip1 package for Slackware 7.1:
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/tcpip1.tgz
Patch package (just in.telnetd) for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/patches/telnetd.tgz
Patch package (just in.telnetd) for Slackware 7.1:
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/telnetd.tgz
MD5 SIGNATURES:
---------------
Here are the md5sums for the packages:
Slackware 8.0:
bff3b57e4dc784f03d7af78df31d74f6 ./packages/tcpip1.tgz
b8956efcaaa0573be4bf7396e2976621 ./patches/telnetd.tgz
Slackware 7.1:
d0962b984fec93cf9fef0260538ed372 ./packages/tcpip1.tgz
d895b816b0d026367377e481e9ecfd46 ./packages/telnetd.tgz
INSTALLATION INSTRUCTIONS:
--------------------------
It is recommended that the tcpip1 package be upgraded in single user
mode (runlevel 1). Bring the system into runlevel 1:
# telinit 1
Then upgrade the packages:
# upgradepkg <package name>.tgz
Then bring the system back into multiuser mode:
# telinit 3
The problem can also be patched using the telnetd.tgz patch package
instead. Simply install as root:
# installpkg telnetd.tgz
This will move the old in.telnetd out of the way and install the new one
to be used for subsequent connections. Existing telnet connections will
not be interrupted.
Remember, it's also a good idea to backup configuration files before
upgrading packages.
- Slackware Linux Security Team
http://www.slackware.com