Date: Mon, 13 Mar 1995 20:44:27 +0100 (MET) From: Remy.Card@masi.ibp.fr (Remy CARD) To: hackers@FreeBSD.org Subject: finger @ bug (fwd) Message-ID: <199503131944.UAA10022@hebe.ibp.fr>
next in thread | raw e-mail | index | archive | help
This has just been sent to the linux-security mailing list. Since the FreeBSD's fingerd also has the bug, could someone please integrate the fix? Remy Forwarded message: > Subject: finger @ bug > To: linux-security@tarsier.cv.nrao.edu > Date: Mon, 13 Mar 1995 14:58:31 +0100 (MEZ) > From: Marek Michalkiewicz <ind43@ci3ux.ci.pwr.wroc.pl> > > Hi, > > in.fingerd has a bug which allows "recursive" fingering. For example: > > finger user@host.other.domain@host.domain > > The bug is known for quite some time, and is not Linux-specific (it exists > at least in SunOS, Solaris, SCO, IRIX, FreeBSD - but has been fixed in HP-UX > for example). It has some security implications: if you only allow finger > access from local domain, you must do this on all machines in local domain. > and it makes denial of service attack possible, especially on smaller Linux > boxes (by forking lots of processes). > > I have sent a patch for this to Florian. You can get fixed in.fingerd > source from ftp://ftp.ists.pwr.wroc.pl/pub/linux/bugfixes/fingerd.tar.gz > or wait for a new NetKit-B release. > > BTW, linux.nrao.edu has this problem too... > > Regards, > -- > Marek Michalkiewicz > marekm@i17linuxa.ists.pwr.wroc.pl || ind43@ci3ux.ci.pwr.wroc.pl >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199503131944.UAA10022>