From:	 Slackware Security Team <security@slackware.com>
To:	 slackware-security@bob.slackware.com
Subject: [slackware-security] netkit-telnet buffer overflow patched
Date:	 Thu, 9 Aug 2001 23:40:51 -0700 (PDT)


An exploitable overflow has been found in the telnetd daemon contained in
Slackware's tcpip1 package.  More information about the problem may be
found here:  http://www.securityfocus.com/archive/1/203000

We urge all Slackware users to upgrade to a patched in.telnetd as soon as
possible.  Upgraded tcpip1.tgz packages as well as telnetd.tgz packages
containing only the fix have been prepared for Slackware 7.1 and 8.0.

WHERE TO FIND THE NEW PACKAGES:
-------------------------------
Updated tcpip1 package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/tcpip1.tgz

Updated tcpip1 package for Slackware 7.1:
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/tcpip1.tgz

Patch package (just in.telnetd) for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/patches/telnetd.tgz

Patch package (just in.telnetd) for Slackware 7.1:
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/telnetd.tgz

MD5 SIGNATURES:
---------------

Here are the md5sums for the packages:

Slackware 8.0:
bff3b57e4dc784f03d7af78df31d74f6  ./packages/tcpip1.tgz
b8956efcaaa0573be4bf7396e2976621  ./patches/telnetd.tgz

Slackware 7.1:
d0962b984fec93cf9fef0260538ed372  ./packages/tcpip1.tgz
d895b816b0d026367377e481e9ecfd46  ./packages/telnetd.tgz

INSTALLATION INSTRUCTIONS:
--------------------------

It is recommended that the tcpip1 package be upgraded in single user
mode (runlevel 1).  Bring the system into runlevel 1:

   # telinit 1

Then upgrade the packages:

   # upgradepkg <package name>.tgz

Then bring the system back into multiuser mode:

   # telinit 3


The problem can also be patched using the telnetd.tgz patch package
instead.  Simply install as root:

   # installpkg telnetd.tgz

This will move the old in.telnetd out of the way and install the new one
to be used for subsequent connections.  Existing telnet connections will
not be interrupted.


Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
  http://www.slackware.com