From owner-freebsd-security  Tue Oct 24 08:51:58 1995
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id IAA18524
          for security-outgoing; Tue, 24 Oct 1995 08:51:58 -0700
Received: from vhf.dataradio.com (G496.InterLink.NET [198.168.61.62])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id IAA18517
          for <security@freebsd.org>; Tue, 24 Oct 1995 08:51:50 -0700
Received: (from root@localhost) by vhf.dataradio.com (8.6.9/8.6.12) id LAA28650; Tue, 24 Oct 1995 11:51:28 -0400
Date: Tue, 24 Oct 1995 11:51:27 -0400 (EDT)
From: Dataradio sysadmin <root@vhf.dataradio.com>
To: "David A. Borman" <dab@berserkly.cray.com>
cc: davidg@Root.COM, hartmans@mit.edu, security@freebsd.org
Subject: Re: telnetd fix
In-Reply-To: <9510241523.AA05306@frenzy.cray.com>
Message-ID: <Pine.BSF.3.91.951024114920.28496F-100000@vhf.dataradio.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
Precedence: bulk

On Tue, 24 Oct 1995, David A. Borman wrote:

> 
> >    Hi; I've been thinking about the telnetd security patch that was recently
> > sent out. I've been watching the list of "vulnerable" environment variables
> > grow daily...I really think that excluding certain environment variables is the
> > wrong approach to solving the problem. I think it is is much wiser to do an

[snip]

Have I missed something here?
 
Why not just compile telnetd / login as a statically linked programs, and
voila, no worry about possibly switching libc under their noses. 

-----
Andrew Webster          DATARADIO, Inc.
Network Manager         http://www.dataradio.com
Special Projects        awebster@dataradio.com