Red Hat Bugzilla – Bug 1271
security issue mentioned in comp.risks 20.22
Last modified: 2008-05-01 11:37:49 EDT
Essentially it's possible to fill up the process table on a machine by making repeated connections to the inetd invoked finger daemon. i've submitted a fix for this to the author mentioned in the README file (dholland@hcs.harvard.edu). in addition i uploaded rpm's with this patch to incoming.redhat.com. their names: finger-0.10-6.i386.rpm finger-0.10-6.src.rpm ------- Email Received From kevin lyda <kevin@suberic.net> 02/21/99 17:25 ------- ------- Email Received From kevin lyda <kevin@suberic.net> 02/21/99 17:25 -------
sorry, i didn't update the documentation. this bug has been mentioned in lwn.net by the way, so hopefully you can use this to get security brownie points. :) the new files live on incoming.redhat.com, and they're called finger-0.10-7.src.rpm and finger-0.10-7.i386.rpm. it has the updated man page, as well as a small tweak of the usage blurb. also, dholland is no longer the maintainer. i've asked him who is, and i'll pass the info back if you'd like.
Patch applied in finger-0.10-23. Thanks.