Bug 4286

Summary: netkit-telnet security issue CVE-2011-4862
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Vigier <boklm>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins
Version: CauldronKeywords: Triaged
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
Whiteboard:
Source RPM: netkit-telnet-0.17-11.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-01-26 04:11:30 CET 
Here's something I noticed while preparing the advisory for a security update for krb5-appl (Bug 2064).

For CVE-2011-4862, Mandriva's advisory says this:
"In Mandriva the telnetd daemon from the netkit-telnet-server package
does not have an initscript to start and stop the service, however
one could rather easily craft an initscript or start the service by
other means rendering the system vulnerable to this issue."

And to go along with that they also issued an update for their netkit-telnet
package (MDV 2011 only, same netkit-telnet version we have).  I imagine this applies to us as well.  If so, both Mageia 1 and Cauldron would be affected.  Given the information in the advisory, it's unlikely that many people are directly affected by it, so I'll leave it up to the maintainer's discretion as to whether to issue an update for Mageia 1.

The advisory is here:
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:195
David Walser 2012-01-26 04:11:44 CET

CC: (none) => boklm

Comment 1 Manuel Hiebel 2012-01-27 00:26:36 CET 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => boklm

Comment 2 David Walser 2012-02-18 23:48:02 CET 
I have fixed this in Cauldron.  The patch is in SVN in Mageia 1.  We can issue an update if someone feels it's necessary.
Comment 3 Manuel Hiebel 2012-03-06 01:30:23 CET 
ping ?
Comment 4 Dave Hodgins 2012-03-06 01:58:53 CET 
In the mandriva advisory, they do list 2010.1, so we will need the update
for users upgrading from 2010.2.
Mandriva has krb5-appl-clients-1.0-4.2mdv2010.2
Mageia 1 has krb5-appl-clients-1.0.1-2.3.1.mga1

Note that prior testing,
https://bugs.mageia.org/show_bug.cgi?id=2064#c22
showed the Mageia 1 kerberos servers don't work with kerberos
authentication, so the only testing that will be done is without
authentication.

CC: (none) => davidwhodgins

Comment 5 David Walser 2012-03-06 02:05:12 CET 
We have already updated krb5-appl and we have a newer version, and that's not what this bug was for.  It was for the netkit-telnet package, which was affected by the same CVE.  Mandriva only updated it in 2011 and noted that it's not actually vulnerable to the flaw out of the box.  I can build an update for it if anyone thinks it's necessary, otherwise, I've fixed it in Cauldron, so this could be closed.
Comment 6 Manuel Hiebel 2012-05-09 21:10:37 CEST 
ping ?
Comment 7 Dave Hodgins 2012-05-11 01:26:35 CEST 
Closing as per comment 5.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:02 CEST

CC: boklm => (none)