Date: Sat, 3 Jul 1999 17:19:41 -0400 From: Andreas Bogk <andreas@ANDREAS.ORG> Subject: Re: cfingerd 1.3.2 To: BUGTRAQ@NETSPACE.ORG "Larry W. Cashdollar" <lwcashd@BIW.COM> writes: > An easy and quick Patch for cfingerd 1.3.2. if you really need to run finger. If you _really_ want to run finger without having to worry, you should use dfingerd by David Lichteblau. It is modelled after ffingerd by Felix von Leitner. The ffingerd blurb says: It disallows symbolic links as ~/.plan and ~/.project files, does not display unnecessary but potentially useful information for an attacker, like the shell or the home directory and disallows indirect and @host queries. A compile time option is fascist logging (even positive queries are syslogged). You can get ffingerd at ftp://ftp.fu-berlin.de/pub/unix/security/ffingerd/ffingerd-1.21.tar.gz dfingerd has an identical feature set, but is written in Dylan. Since amongst the many features of Dylan are bounds checking for arrays and dynamically growing strings, this should eliminate all buffer overflows and associated exploits. You can find out about Dylan at: http://www.gwydiondylan.org/ and you can get dfingerd at ftp://berlin.ccc.de/pub/gd/contributions/dfingerd-0.2.tar.gz Andreas -- "We show that all proposed quantum bit commitment schemes are insecure because the sender, Alice, can almost always cheat successfully by using an Einstein-Podolsky-Rosen type of attack and delaying her measurement until she opens her commitment." ( http://xxx.lanl.gov/abs/quant-ph/9603004 )