Security Information / 2000 / Security Information -- xinetd

Debian Security Advisory

xinetd -- bug in access control mechanism

Date Reported:

19 Jun 2000

Affected Packages:

xinetd

Vulnerable:

No

Security database references:

In Mitre's CVE dictionary: CVE-2000-0536.

More information:

Certain versions of xinetd have a bug in the access control mechanism. If you use a hostname to control access to a service ( localhost instead of 127.0.0.1 ), xinetd will allow any connection from hosts that fail a reverse look-up.

The version of xinetd in Debian 2.1 (slink) does not support the access control mechanism and is not vulnerable to this problem. (Those testing Debian 2.2--potato--should upgrade to at least version 2.1.8.8.p3-1.)