A format string bug was recently discovered in screen
which can be used to gain elevated privileges if screen is setuid. Debian GNU/Linux 2.1
(slink) did ship screen setuid and the exploit can be used to gain root
privileges. In Debian GNU/Linux 2.2 (potato) screen is not setuid, and is not vulnerable
to a root exploit. screen is, however, setgid utmp in Debian GNU/Linux 2.2 (potato) and
we recommend upgrading.
A fixed version of screen is available in version 3.7.4-9.1 for Debian GNU/Linux
2.1 (slink) and in version 3.9.5-9 for Debian GNU/Linux 2.2 (potato).
Note: for slink, we are releasing binary packages for i386 only at this time.
