FreeBSD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user sends an absolute path file name instead of a user name when fingering a victim, which will disclose file contents rather than return user information and result in a loss of confidentiality.
Upgrade to version 4.1.1-STABLE or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: disable the finger protocol in /etc/inetd.conf by commenting out the service.
#finger stream tcp nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
On IPv6-connected systems, be sure to disable the IPv6 instance of the
finger daemon as well:
#finger stream tcp6 nowait/3/10 nobody /usr/libexec/fingerd fingerd -s
Also, FreeBSD has released a patch.