Re: telnetd vulnerability from BUGTRAQ
Hi,
so, again, for some locked people. There is maybe an application in
Debian which is remotely exploitable. This application will be probably
also in the next stable release. This thread is about this situation. I
(and some other people) use telnetd only in very specific situations
where isn't any other possibility. I don't like using of telnetd and I
know about the risks and I do necessary actions for minimized them! You
have probably all your systems 10 meters around you. I have some systems
which are thousands kilometers far. Please, stop speaking about the Holy
Grail (sshd) and go to the fundamental thing - is or isn't one standard
Debian application remotely exploitable.
Yes, it's time to look at the sources and find the truth.
Best regards,
Milan Jurik
On Sun, 26 Sep 2004, s. keeling wrote:
> Incoming from Rick Moen:
> > Quoting Milan Jurik (M.Jurik@sh.cvut.cz):
> >
> > > The question isn't if stop using telnet. The question is why Debian's
> > > telnetd is still vunerable.
> >
> > I'd apologise for the off-topic digression -- if I thought I'd given
> > offence. ;->
>
> No-one should have to apologise for warning against bad security
> practices. $DEITY knows the Windows crowd doesn't care about it, but
> we're better than that, right? One unpatched Microsh*t box in your
> LAN, and one nitwit using IE, and your whole network is owned. It
> would be irresponsible not to warn others about it.
>
> If/when they get in, they can also get a sniffer in. If you're
> running telnet, you're fooling yourself. If you're using ssh
> ubiquitously, that's yet another vector closed to them.
>
> I don't have a lot of patience for those who think, "Yes, we know the
> risks, but we'd rather not change." Evolution in action, indeed.
>
>
> --
> Any technology distinguishable from magic is insufficiently advanced.
> (*) http://www.spots.ab.ca/~keeling
> - -
>
Reply to: