-----BEGIN PGP SIGNED MESSAGE-----

We have discovered a serious security problem found in the Berkeley
telnet client.  This bug only affects telnet clients which provide
support for the experimental telnet encryption option using the
Kerberos V4 authentication.  All known, released versions of the BSD
telnet that support Kerberos V4 authentication and encryption are
affected by this bug.

It is recommended that all sites who use encrypted telnet in
conjuction with Kerberos V4 apply this patch immediately.

This patch, along with the domestic version of the most recently
released telnet sources from Berkeley, are available via anonymous ftp
from net-dist.mit.edu in the directory /pub/telnet.  

The patch (which is also included in this message) can be found in the
file /pub/telnet/telnet.patch.  The file /pub/telnet/telnet.patch.sig
contains a detached PGP signature of this file.

Users of NCSA Telnet should upgrade to the NCSA telnet 2.6.1d4, which
is available via from ftp.ncsa.uiuc.edu in the directory
/Mac/Telnet/Telnet2.6/prerelease/d4.

Customers of ftp Software with an encrypting telnet (provided in the
PC/TCP or OnNet packages) should call the ftp technical support line
at 1-800-282-4387 and ask for the "tn encrypt patch".

If you have an encrypting telnet from some other vendor, please
contact that vendor for information regarding how to get a fixed
version.


					Theodore Ts'o
					tytso@mit.edu
					February 15, 1995


-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBL0J6mUQVcM1Ga0KJAQH5RQP/UiH3ByLOa3nDczfnuIp2ToM+ix59CiHF
hIHMFfbWkzW1ggvCYhsdKe8rxwNQWqyAxWIBfvyQwv36LAt6c97QKEzF0XPKYD8S
vE+lQt3B71BOgdqaFDmth0+lENbLe7YRIfvrSDw/LIVut5rSl4cgtscceioLIzBp
8Zp1ENMBXR4=
=2feL
-----END PGP SIGNATURE-----
