Bug 4286 - netkit-telnet security issue CVE-2011-4862
Summary: netkit-telnet security issue CVE-2011-4862
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Nicolas Vigier
QA Contact:
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:
Keywords: Triaged
Depends on:
Blocks:
 
Reported: 2012-01-26 04:11 CET by David Walser
Modified: 2014-05-08 18:06 CEST (History)
1 user (show)

See Also:
Source RPM: netkit-telnet-0.17-11.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-01-26 04:11:30 CET 
Here's something I noticed while preparing the advisory for a security update for krb5-appl (Bug 2064).

For CVE-2011-4862, Mandriva's advisory says this:
"In Mandriva the telnetd daemon from the netkit-telnet-server package
does not have an initscript to start and stop the service, however
one could rather easily craft an initscript or start the service by
other means rendering the system vulnerable to this issue."

And to go along with that they also issued an update for their netkit-telnet
package (MDV 2011 only, same netkit-telnet version we have).  I imagine this applies to us as well.  If so, both Mageia 1 and Cauldron would be affected.  Given the information in the advisory, it's unlikely that many people are directly affected by it, so I'll leave it up to the maintainer's discretion as to whether to issue an update for Mageia 1.

The advisory is here:
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2011:195
David Walser 2012-01-26 04:11:44 CET

CC: (none) => boklm

Comment 1 Manuel Hiebel 2012-01-27 00:26:36 CET 
Hi, thanks for reporting this bug.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Keywords: (none) => Triaged
Assignee: bugsquad => boklm

Comment 2 David Walser 2012-02-18 23:48:02 CET 
I have fixed this in Cauldron.  The patch is in SVN in Mageia 1.  We can issue an update if someone feels it's necessary.
Comment 3 Manuel Hiebel 2012-03-06 01:30:23 CET 
ping ?
Comment 4 Dave Hodgins 2012-03-06 01:58:53 CET 
In the mandriva advisory, they do list 2010.1, so we will need the update
for users upgrading from 2010.2.
Mandriva has krb5-appl-clients-1.0-4.2mdv2010.2
Mageia 1 has krb5-appl-clients-1.0.1-2.3.1.mga1

Note that prior testing,
https://bugs.mageia.org/show_bug.cgi?id=2064#c22
showed the Mageia 1 kerberos servers don't work with kerberos
authentication, so the only testing that will be done is without
authentication.

CC: (none) => davidwhodgins

Comment 5 David Walser 2012-03-06 02:05:12 CET 
We have already updated krb5-appl and we have a newer version, and that's not what this bug was for.  It was for the netkit-telnet package, which was affected by the same CVE.  Mandriva only updated it in 2011 and noted that it's not actually vulnerable to the flaw out of the box.  I can build an update for it if anyone thinks it's necessary, otherwise, I've fixed it in Cauldron, so this could be closed.
Comment 6 Manuel Hiebel 2012-05-09 21:10:37 CEST 
ping ?
Comment 7 Dave Hodgins 2012-05-11 01:26:35 CEST 
Closing as per comment 5.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:02 CEST

CC: boklm => (none)
Note You need to log in before you can comment on or make changes to this bug.