This is the mail archive of the
mailing list for the Cygwin project.
[ANNOUNCEMENT] Updated: inetutils-1.3.2-23
- From: Corinna Vinschen <corinna-cygwin at cygwin dot com>
- To: cygwin at cygwin dot com
- Date: Mon, 7 Jul 2003 17:15:24 -0400 (EDT)
- Subject: [ANNOUNCEMENT] Updated: inetutils-1.3.2-23
- Reply-to: cygwin at cygwin dot com
I've updated the version of inetutils in cygwin/latest to 1.3.2-23.
This is a security update. It solves the problem described as
CERT® Advisory CA-2001-21 Buffer Overflow in telnetd
An overflowable buffer was found in the version of telnetd included in
the Cygwin net distribution. Due to incorrect bounds checking of data
buffered for output to the remote client, an attacker can cause the
telnetd process to overflow the buffer and crash, or execute arbitrary
code as the user running telnetd, usually SYSTEM. A valid user account
and password is not required to exploit this vulnerability, only the
ability to connect to a telnetd server.
This version also containes the so far unannounced fixes from versions
1.3.2-21 and 1.3.2-22:
- In inetd, don't call AllocConsole on 9x/Me. This results
in not opening an extra DOS window when starting some native
- rlogin used the wrong (old BSD) technique to evaluate the
speed to send to rlogind due to a BSD centric precompiler
directive. This could lead to a crash.
- When updating inetutils, take care that inetd.exe and subsequent
processes don't run anymore.
To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com web page. This downloads setup.exe to your system.
Run setup and answer all of the questions.
Note that if this is the first time that you've run the new GUI version
of setup, it will currently download the whole cygwin net release again.
After this point it will only download what is needed.
If you have questions or comments, please send them to the Cygwin
mailing list at: email@example.com . I would appreciate
if you would use this mailing list rather than emailing me directly.
This includes ideas and comments about the setup utility or Cygwin
If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.
*** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***
If you want to unsubscribe to the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there. It will be in the format:
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:firstname.lastname@example.org
Red Hat, Inc.
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html