FreeBSD just released their fixes for this problem:

 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:49/telnetd-crypto.patch



Matt London writes:
>   I came across this at http://www.team-teso.net/ today, and I don't see
> any posts about it in the archive so far...
> 
> ---[cut]---
>     Within most of the current telnet daemons in use today there exist a buffer
>     overflow in the telnet option handling. Under certain circumstances it may
>     be possible to exploit it to gain root priviledges remotely.