netkit-telnetd /might/ be affected, apparently there is no Debian patchset for this (small) vulnerability yet : ============= Multiple Vendor Telnet Client Information Disclosure Vulnerability iDEFENSE Security Advisory 06.14.05 www.idefense.com/application/poi/display?id=260&type=vulnerabilities June 14, 2005 I. BACKGROUND The TELNET protocol allows virtual network terminals to be connected to over the internet. The initial description of the telnet protocol was given in RFC854 in May 1983. Since then there have been many extra features added including encryption. II. DESCRIPTION Remote exploitation of an input validation error in multiple telnet clients could allow an attacker to gain sensitive information about the victim's system. The vulnerability specifically exists in the handling of the NEW-ENVIRON command. In order to exploit this vulnerability, a malicious server can send a connected client the following telnet command: SB NEW-ENVIRON SEND ENV_USERVAR <name of environment variable> SE Vulnerable telnet clients will send the contents of the reference environment variable, which may contain information useful to an attacker. The expected behavior would be only to send environment variables related directly to the operation of the telnet client (for example, TERM), or those specifically allowed by the user. =============================
solar: could you have a look and confirm that we are indeed affected ? Maybe the Debian patchset already includes the old RH patch...
I expect to be a little busy most of the week. If anybody else can take a peek that would be great. Being that we base our netkit on debs package and Ubuntu is based on deb we are probably ok. But I can't confirm right away. - Ubuntu Ubuntu supports and ships netkit-telnet, which has been patched to not disclose arbitrary environment variables for a long time now. The krb5 version is also available in the archive, however, it is unsupported and there will not be an official advisory for it. It will most likely be fixed by the community.
AFAICT the info disclosure already fixed in that package.