Apple Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

BSDI Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Caldera Affected

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Affected

Vendor Statement

After looking into the source code for Linux's netkit-telnet (version 0.16), I believe that it's not vulnerable to the PGPPASS problem. The client code that handles the ENVIRON option works okay if the server sends an empty list of variables (which means the client will send all "exported" environment variables), but fails miserably when a list of variable names is given. The code totally ignores ENV_VAR (which normally marks the start of a new env name), and when it comes across ENV_VALUE it will try to grok the variable name but stomps all over it with NUL bytes :-) So, to make a long story short, you can't use netkit-telnet to extract arbitrary variables from the user's environment. You can however retrieve exported variables. Unless the user does funny things in his .telnetrc file, the only variables exported should be USER, TERM and DISPLAY. So the damage that can be done with telnet: URLs is roughly the same as with rlogin: URLs. This does divulge some information, but only little more than an ident query would. My conclusion is that there's no urgent need to modify the rlogin and telnet clients in any way. In the long haul, browser vendors should probably rethink which URLs are allowed under which circumstances, and whether they require user confirmation (much like netscape's "you're about to enter a secure site").

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Compaq Computer Corporation Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Data General Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

FreeBSD Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett Packard Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Microsoft Not Affected

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Not Affected

Vendor Statement

We checked our Telnet clients and we are okay for Windows NT4 and Windows 2000.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NCR Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NEC Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

NetBSD Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

OpenBSD Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

RedHat Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SCO Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sequent Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

SGI Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Siemens Nixdorf Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sony Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Sun Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Unisys Unknown

Notified:  May 23, 2000 Updated: September 26, 2000

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

U/WIN Affected

Notified:  November 13, 2000 Updated: November 13, 2000

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

CERT/CC has received credible third-party information suggesting that the U/WIN telnet client is vulnerable to this problem.

View all 23 vendors View less vendors