Subject: Re: Heimdal telnet DOS advisory
To: Ed Ravin <firstname.lastname@example.org>
From: Jason Thorpe <email@example.com>
Date: 03/15/2006 14:23:28
On Mar 15, 2006, at 12:33 PM, Ed Ravin wrote:
> Title: Heimdal TelnetD Denial of Service
> Description: Heimdal is a free implementation of the Kerberos 5
> network authentication protocol. It contains several Kerberos-enabled
> network server applications. The "telnetd" program provides remote
> access. It is prone to a remote denial of service vulnerability due to
> a design error in the application during the initial connection to
> telnetd before authentication. The resulting NULL pointer de-reference
> causes telnetd to crash.
> Ref: http://www.us.debian.org/security/2006/dsa-977
> The fix is in Heimdal 0.6.6, but NetBSD seems to still be using
> Heimdal 0.6.3.
While NetBSD does ship Heimdal Kerberos 5, NetBSD does not use the
Heimdal telnetd implementation.