NOTE!! Does _not_ affect RH6.0 or newer because of a netkit source change Just a bug FYI, in case you're still supporting 5.2 See bogus use of fprintf() in announce.c: print_mesg(). "%s" is missing. May be remotely exploitable. If I had a RH5.2 machine I'd reseach this but.... :-) See Bugtraq post here for someone who spotted this change in the OpenBSD tree: http://www.securityfocus.com/archive/1/137482
Thanks for reporting, but 5.2 is now out of the supported systems. Read ya, Phil PS: I just took over our internal ownership of this package, so i can't tell you why there hasn't been done a fix earlier. :)