Bug 59563 (CVE-2001-0554)

Summary: VUL-0: CVE-2001-0554: telnet: Question about old telnet cert advisory
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Saupe <tsaupe>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: VERIFIED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: ihno, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: S/390   
OS: Linux   
Whiteboard: CVE-2001-0554: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 42294    

Description Thomas Saupe 2004-09-01 18:37:55 UTC 
Request from: mkprice@us.ibm.com 
 
--8<-- 
 
PRODUCT: SLES S/390 8 
( Please ignore if my previous attempt at creating this request succeeded ) .  
 
We have a customer who has recently purchased a network vulnerability tool 
from  
xforce.  When he runs this on his SLES8 SP3 system, he gets a warning that the  
system is suffering from the TelnetdOptionTelrcvBo problem.  
 
This keyword appears to be uniquely associated with CVE-2001-0554 ( CERT 
745371  
) - an old  buffer overflow issue with telnetd.  
 
The security advisory preceeds SLES8; and the patch for the problem appears in  
the version of telnet-server that the customer is running (  
telnet-server-1.0-140 ) .  
 
Furthermore, we cannot recreate CERT 745371 here in house.  
 
We are attempting to speak with xforce to find out why their product is  
producing this warning message; but because the customer is so anxious about  
this, I promised that I was enquire from SuSE if you are aware of any  
outstanding buffer overflow problems with the current version of 
telnet-server. 
 
-->8--
Comment 1 Thomas Saupe 2004-09-01 18:37:55 UTC 
<!-- SBZ_reproduce  -->
Not sure wheter we provide such information at all. 
But a statement would be appreciated.
Comment 2 Thomas Biege 2004-09-01 20:48:09 UTC 
Good old times. :) 
 
This bug was fixed by Thorsten 3 years ago when this issue came up: 
------------------------------------------------------------------- 
Tue Aug 14 13:54:53 CEST 2001 - kukuk@suse.de 
 
- Add more fixes for possible security problems 
 
------------------------------------------------------------------- 
Fri Jul 27 11:09:03 CEST 2001 - kukuk@suse.de 
 
- Add fix for possible problems with buffer overruns 
 
------------------------------------------------------------------- 
 
 
Maybe the scanner produces a "False Positive".
Comment 3 Thomas Saupe 2004-09-02 15:49:33 UTC 
Thanks, the customer is satisfied with this response. 
I will close the report.
Comment 4 Thomas Biege 2009-10-13 19:32:18 UTC 
CVE-2001-0554: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)