A patch exists and is available via anonymous FTP from 'net-dist.mit.edu' in the directory '/pub/telnet'. The patch (which is also included in this message) can be found in the file '/pub/telnet/telnet.patch'. The file '/pub/telnet/telnet.patch.sig' contains a detached PGP signature of this file. Users of NCSA Telnet should upgrade to the NCSA telnet 2.6.1d4, which is available from 'ftp.ncsa.uiuc.edu' in the directory '/Mac/Telnet/Telnet2.6/prerelease/d4'. Customers of FTP Software with an encrypting telnet (provided in the PC/TCP or OnNet packages) should call the FTP technical support line at 1-800-282-4387 and ask for the 'tn encrypt patch'.
The Berkeley telnet client contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to encrypted passwords when the telnet client uses kerberos 4, which may lead to a loss of confidentiality, integrity and/or availability.
Upgrade to NCSA version 2.6.1d7 or higher, as it has been reported to fix this vulnerability. BSD has also released a patch to address this vulnerability.