Mailing-List: contact cygwin-announce-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-announce-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-announce/>
List-Post: <mailto:cygwin-announce AT cygwin DOT com>
List-Help: <mailto:cygwin-announce-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-announce-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-announce AT cygwin DOT com
Delivered-To: moderator for cygwin-announce AT cygwin DOT com
Date: Mon, 7 Jul 2003 22:55:30 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygann <cygwin-announce AT cygwin DOT com>
Subject: Updated: inetutils-1.3.2-23
Message-ID: <20030707205530.GB12368@cygbert.vinschen.de>
Reply-To: cygwin <cygwin AT cygwin DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=unknown-8bit
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.4.1i

I've updated the version of inetutils in cygwin/latest to 1.3.2-23.

This is a security update.  It solves the problem described as

  CERTŪ Advisory CA-2001-21 Buffer Overflow in telnetd
  
See http://www.cert.org/advisories/CA-2001-21.html.

An overflowable buffer was found in the version of telnetd included in
the Cygwin net distribution.  Due to incorrect bounds checking of data
buffered for output to the remote client, an attacker can cause the
telnetd process to overflow the buffer and crash, or execute arbitrary
code as the user running telnetd, usually SYSTEM.  A valid user account
and password is not required to exploit this vulnerability, only the
ability to connect to a telnetd server.

This version also containes the so far unannounced fixes from versions
1.3.2-21 and 1.3.2-22:

- In inetd, don't call AllocConsole on 9x/Me.  This results
  in not opening an extra DOS window when starting some native
  console applications.

- rlogin used the wrong (old BSD) technique to evaluate the
  speed to send to rlogind due to a BSD centric precompiler
  directive.  This could lead to a crash.


=========================================================================
			  IMPORTANT NOTE:

- When updating inetutils, take care that inetd.exe and subsequent
  processes don't run anymore.

=========================================================================

To update your installation, click on the "Install Cygwin now" link on
the http://cygwin.com web page.  This downloads setup.exe to your system.

Run setup and answer all of the questions.

Note that if this is the first time that you've run the new GUI version
of setup, it will currently download the whole cygwin net release again.
After this point it will only download what is needed.

If you have questions or comments, please send them to the Cygwin
mailing list at:  cygwin AT cygwin DOT com .  I would appreciate
if you would use this mailing list rather than emailing me directly.
This includes ideas and comments about the setup utility or Cygwin
in general.

If you want to make a point or ask a question the Cygwin mailing list is
the appropriate place.

              *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO ***

If you want to unsubscribe to the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

cygwin-announce-unsubscribe-you=yourdomain DOT com AT sources DOT redhat DOT com

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                                mailto:cygwin AT cygwin DOT com
Red Hat, Inc.