Date: Tue, 10 Aug 1999 21:03:14 +0200 From: Martin Schulze <joey@finlandia.Infodrom.North.DE> To: Linux Security Audit <security-audit@ferret.lmh.ox.ac.uk> Subject: New cfingerd 1.4.0 - Configurable Finger Daemon Contrary to what was written a year ago cfingerd is still maintained. After several years of development I'm happy to present a new version of this package. The original author and former maintainer Ken Hollis has handed over development to me. The new release 1.4.0 fixes all security issues that have been reported before and which I was aware of. I have summarized them on http://www.Infodrom.North.DE/cfingerd/security.html . Addressed security reports include: . Don't allow userlist through search.* . Don't allow userlist through search.** . Buffer overflow in username . Root compromise through scripts . Possibility to regain root access I would appreciate if you would pick the source and do a full audit on it. Please find the new version at ftp://ftp.infodrom.north.de/pub/people/joey/cfingerd/cfingerd-1.4.0.tar.gz Regards, Joey -- Experience is something you don't get until just after you need it. Please always Cc to me when replying to me on the lists.