> The list of uids are already public in the /etc/passwd file. That file > is already world readable. Therefore it isn't clear to me how using > another command makes this a vulnerability.
Using fingerd, this could disclose login names to remote attackers. This, of course, does not apply to local invokation of some tool that uses normal user privileges. But running fingerd already discloses login names, that is the whole point of finger.
