Change History (6)
comment:1 by , 18 months ago
| Priority: | normal → high |
|---|
comment:2 by , 18 months ago
Noteworthy changes in release 2.4 (2022-10-25) [stable]
ifconfig
- Support specifying prefix netmask lengths in -A.
- Hurd: tell pfinet translator interfaces to configure
ftp
- Avoid crash caused by signed integer overflow resulting in out-of-bounds buffer access.
- Avoid crash caused by heap buffer overflow.
- Avoid crash caused by NULL pointer dereference.
- Avoid crash caused by infinite macro recursion.
telnetd
- Avoid crash on 0xff 0xf7 (IAC EC) or 0xff 0xf8 (IAC EL). CVE-2022-39028 https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
telnet
- Fix a buffer overflow problem. CVE-2019-0053 https://cgit.freebsd.org/src/commit/?id=14aab889f4e50072a6b914eb95ebbfa939539dad
tftp
- Avoid crashing when given unexpected or invalid commands from tty.
Other
- Various bugs fixes, internal improvements and clean ups.
- Update of gnulib and build fixes for C23.
follow-up: 6 comment:3 by , 18 months ago
I'm not sure how high the security issue is. telnet/telnetd have been deprecated for years and should really be removed completely.
comment:4 by , 18 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed at commit 3f4304998a76ef3bd6141cf7a32cb6740bf032a6.
comment:6 by , 18 months ago
Replying to Bruce Dubbs:
I'm not sure how high the security issue is. telnet/telnetd have been deprecated for years and should really be removed completely.
I'd weakly advocate for keeping telnet, as a testing tool. I use it often to test pop3 and imap server, as it allows to connect to any port and then issue commands.
Note:
See TracTickets
for help on using tickets.
Mark as High due to CVEs being fixed (CVE-2019-0053 and CVE-2022-39028) being fixed in this version, which are under active exploitation.