Bug in Kerb. BSD Telnet ??

[Luis Cerdas <lcerdas@lantech.co.cr>]

Hi,

The following message was sent to BugTraq, and I was wondering if it
applies to OpenBSD, or if it has already been dealt with (or doesn't
apply at all)...

Regards,
Luis Cerdas

Mr Spooty wrote:
> 
> I don't know if this has already been brought to people's attention
> already, but if it hasn't, here you go:
> 
> We have discovered a serious security problem found in the Berkeley
> telnet client.  This bug only affects telnet clients which provide
> support for the experimental telnet encryption option using the
> Kerberos V4 authentication.  All known, released versions of the BSD
> telnet that support Kerberos V4 authentication and encryption are
> affected by this bug.
> 
> It is recommended that all sites who use encrypted telnet in
> conjuction with Kerberos V4 apply this patch immediately.
> 
> This patch, along with the domestic version of the most recently
> released telnet sources from Berkeley, are available via anonymous ftp
> from net-dist.mit.edu in the directory /pub/telnet.
> 
> The patch (which is also included in this message) can be found in the
> file /pub/telnet/telnet.patch.  The file /pub/telnet/telnet.patch.sig
> contains a detached PGP signature of this file.
> 
> Users of NCSA Telnet should upgrade to the NCSA telnet 2.6.1d4, which
> is available via from ftp.ncsa.uiuc.edu in the directory
> /Mac/Telnet/Telnet2.6/prerelease/d4.
> 
> Customers of ftp Software with an encrypting telnet (provided in the
> PC/TCP or OnNet packages) should call the ftp technical support line
> at 1-800-282-4387 and ask for the "tn encrypt patch".
> 
> If you have an encrypting telnet from some other vendor, please
> contact that vendor for information regarding how to get a fixed
> version.
> 
> HotBot - Search smarter.
> http://www.hotbot.com