Updated: inetutils-1.3.2-23

Corinna Vinschen corinna-cygwin@cygwin.com
Mon Jul 7 21:13:00 GMT 2003


I've updated the version of inetutils in cygwin/latest to 1.3.2-23.

This is a security update.  It solves the problem described as

  CERT® Advisory CA-2001-21 Buffer Overflow in telnetd
  
See http://www.cert.org/advisories/CA-2001-21.html.

An overflowable buffer was found in the version of telnetd included in
the Cygwin net distribution.  Due to incorrect bounds checking of data
buffered for output to the remote client, an attacker can cause the
telnetd process to overflow the buffer and crash, or execute arbitrary
code as the user running telnetd, usually SYSTEM.  A valid user account
and password is not required to exploit this vulnerability, only the
ability to connect to a telnetd server.

This version also containes the so far unannounced fixes from versions
1.3.2-21 and 1.3.2-22:

- In inetd, don't call AllocConsole on 9x/Me.  This results
  in not opening an extra DOS window when starting some native
  console applications.

- rlogin used the wrong (old BSD) technique to evaluate the
  speed to send to rlogind due to a BSD centric precompiler
  directive.  This could lead to a crash.


=========================================================================
			  IMPORTANT NOTE:

- When updating inetutils, take care that inetd.exe and subsequent
  processes don't run anymore.

=========================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com web page.  This downloads setup.exe to your system.

Run setup and answer all of the questions.

Note that if this is the first time that you've run the new GUI version
of setup, it will currently download the whole cygwin net release again.
After this point it will only download what is needed.

If you have questions or comments, please send them to the Cygwin
mailing list at:  cygwin@cygwin.com .  I would appreciate
if you would use this mailing list rather than emailing me directly.
This includes ideas and comments about the setup utility or Cygwin
in general.

If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe to the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain.com@sources.redhat.com

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin@cygwin.com
Red Hat, Inc.



More information about the Cygwin-announce mailing list