COMMAND

    telnet

SYSTEMS AFFECTED

    Berkeley telnet client with support of Kerberos V4 authentication and encryption

PROBLEM

    Mr. Spooty found following.  He has discovered a serious  security
    problem  found  in  the  Berkeley  telnet  client.   This bug only
    affects telnet clients which provide support for the  experimental
    telnet  encryption  option  using  the Kerberos V4 authentication.
    All  known,  released  versions  of  the  BSD  telnet that support
    Kerberos V4  authentication and  encryption are  affected by  this
    bug.

SOLUTION

    It  is  recommended  that  all  sites  who use encrypted telnet in
    conjuction with Kerberos V4 apply patch immediately.  This  patch,
    along  with  the  domestic  version  of the most recently released
    telnet sources from Berkeley, are available via anonymous ftp from

        ftp://net-dist.mit.edu/pub/telnet

    Users of NCSA  Telnet should upgrade  to the NCSA  telnet 2.6.1d4,
    which is available via from

        ftp://ftp.ncsa.uiuc.edu/Mac/Telnet/Telnet2.6/prerelease/d4

    Customers of ftp Software  with an encrypting telnet  (provided in
    the  PC/TCP  or  OnNet  packages)  should  call  the ftp technical
    support line at 1-800-282-4387 and ask for the "tn encrypt patch".

    If you have  an encrypting telnet  from some other  vendor, please
    contact that vendor for information  regarding how to get a  fixed
    version.