-----BEGIN PGP SIGNED MESSAGE----- There is a security hole in the versions 0.9.2 and 0.11.1 of SSL(-MZ)telnet. All users of ssltelnet should update to the newest version, which is 0.11.2. It is availlable from ftp://ftp.uni-mainz.de/pub/internet/security/ssl/SSL-MZapps/SSL-MZtelnet-0.11.2.tar.gt or from it's mirrors. A new Debian Linux version was also released and will appear soon on ftp://nonus.debian.org/pub/debian-non-US. Description of the problem: telnetd has a debugging function in it which writes to /tmp/SSL.log. Some calls to this function where not removed in the release version. If someone would link /tmp/SSL.log to a system file and then telnet into the machine the system file would be corrupted. Christoph Martin - -- ============================================================================ Christoph Martin, Uni-Mainz, Germany Internet-Mail: Christoph.Martin@Uni-Mainz.DE - --------------export-a-crypto-system-sig -RSA-3-lines-PERL------------------ #!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj $/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1 lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/) #what's this? see http://www.dcs.ex.ac.uk/~aba/rsa/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: type 'finger -l martinat_private-mainz.de' to get PGP public key iQEVAwUBNd1tsG4/9k35XC9tAQEq7QgA0JFvms8pI3Ryf9kX55Xaw2OsV4Jz1R/F NCCj/Oxu0U1RLtW+xKGfjZqM2ggEBe/NRwNkytqlzX9ZTTCavx5UeAfxT0pb9LBi 5uuHe9/khCac9c9HLh6BObCylTWvmdc8rS/8VMP46Sr9yM0SB8i74iOWKkqJJFdL znyes+d53fb9yGv7Yf10PjUywXAaNfyxIjDNMvvfCncVvZJJ3Y+Z3DMBkAX4eWGq lne8EPoiV31EBAaODvRxlN6W2SLqg5h3wZNEgXeinRDdYOdXtFR56SA+3mbc8Qi9 XsAT36QdjOXdCyUAfDLywYlbeyuwFoVA9jz5WILt910z4HsaJ3mJBg== =+QH3 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:23 PDT