Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.changes > #13452

Accepted inetutils 2:2.4-2+deb12u3 (source) into oldstable-proposed-updates

From Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Newsgroups linux.debian.changes
Subject Accepted inetutils 2:2.4-2+deb12u3 (source) into oldstable-proposed-updates
Date 2026-04-03 22:40 +0200
Message-ID <MFTt7-ctfq-23@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Mar 2026 16:52:10 +0200
Source: inetutils
Architecture: source
Version: 2:2.4-2+deb12u3
Distribution: bookworm-security
Urgency: high
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Closes: 1130741 1130742
Changes:
 inetutils (2:2.4-2+deb12u3) bookworm-security; urgency=high
 .
   * Add patch from upstream:
     - Prevent privilege escalation via telnetd abusing systemd service
       credentials support added to the login(1) implementation of util-linux in
       release 2.40. Reported by Ron Ben Yizhak <ron.benyizhak@safebreach.com>.
       Fixes CVE-2026-28372.
     - Ignore all environment options from clients unless the variable was
       listed in the new --accept-env telnetd option. This mitigates privilege
       escalation using environment variables.
       This is the complete fix for CVE-2026-24061, with its own CVE pending.
     - Fix stack buffer overflow processing SLC suboption triplets.
       Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
       Daniel Lubel at DREAM Security Research Team.
       Fixes CVE-2026-32746. (Closes: #1130742)
   * Add the hashcode-string1 module from forky/sid gnulib adapted to bookworm
     required by the --accept-env patch, and the gl_hash_set, gl_set, gl_xset
     and gl_anyhash bookworm gnulib modules required by hashcode-string1.
     Inject new gnulib modules in lib/Makefile.am.
   * Adapt netkit-telnet patch to not leak unexported environment variables to
     telnetd. Reported by Justin Swartz <justin.swartz@risingedge.co.za>.
     Fixes CVE-2026-32772. (Closes: #1130741)
   * Prevent user local privilege escalation using --debug, which was
     susceptible to symlink attacks, or leaking on-wire credentials to a
     user that had pre-created the file and kept it open. Fix by switching
     from /tmp/telnet.debug to /run/telnet/debug.<pid>, and making the
     setup error checks fatal.
     Partially reported by Justin Swartz <justin.swartz@risingedge.co.za>.
   * Update local telnetd man page to match new --debug behavior.
Checksums-Sha1:
 6700e9a0b0ea1b4bb99917b23807f3a0166a6bea 3226 inetutils_2.4-2+deb12u3.dsc
 f2e9d17b7e05a9d6e000d060ec2ffee4389750d8 95376 inetutils_2.4-2+deb12u3.debian.tar.xz
 de4e6de955bb3c20a1563a45f57b512aab17dc4c 13963 inetutils_2.4-2+deb12u3_amd64.buildinfo
Checksums-Sha256:
 4f6544f84b3fc6940784181d4afedc91304d84bd274f865698953fa44e94d07a 3226 inetutils_2.4-2+deb12u3.dsc
 d0701181ac2e19250c30b0e48057f633e5e870deb1d8e2142cf64fc01ad1d2ec 95376 inetutils_2.4-2+deb12u3.debian.tar.xz
 a9a436fb4734d91974d20e3802c3f0987488810d517a40064275b9d3956d6be6 13963 inetutils_2.4-2+deb12u3_amd64.buildinfo
Files:
 3add01bc8917bc0d892c25eb976e5ade 3226 net optional inetutils_2.4-2+deb12u3.dsc
 5f5ef6d98d1a83c77cbc151a57d32880 95376 net optional inetutils_2.4-2+deb12u3.debian.tar.xz
 0b50961de92b47ecfd988686e29dc02d 13963 net optional inetutils_2.4-2+deb12u3_amd64.buildinfo


-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJpy9EcCRC5cr8+pK5Xo0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmfNg+LVPFgUbhaiW2WaMWvGzc3jN2ReH+uY781SMEuH
pxYhBE8+dPQ2BQwQ9WlldLlyvz6krlejAAABqg/9EWElBlwunALjvFQ1pOR3UA5V
evtch7Mlt9JcCjKlzI6pIb2a6SZVMTHDroLsuXCl3wlxJ+mvGi/fCN4L/v0UEvDs
lweJno0yBhkE7SXIb37ZXcrs1qT5vTN3zl/oAm4BOXfNvNfjHATPmB750UynNFIU
PG/ygkrwlhony2R0/n8PeJ4Qd9kXk3/TwkOO50vnHihxJNK+Wn7AKHvDutjFDTIZ
GA04Oz1D5alnyaF2EUcWmipxSKdsL+miGvGEB+xWEsEFNF+36K0MczqfkQfCv84F
DF6JRt+xRLOAB5Fxd6fs0KhPy3WmVn2uFHSIHCfLZiTaDLYx5yZ/PaO30VdU0vRm
GvW6RTVd3HVkwL4B9hGDQDap2hNjKyR3FVKjTRhM/g95uEWQtpM8HdT+z73T18cF
0nTwsTcjcDf7Jetd0IKIg1VYPNBSbdKT0RfhZX2mOdyVvsKClSujMKHK59mCgf/t
KGZedECjE3RHeJwA3i2FPG6odyvEiGgKcnQHX/HYsM04esCtjMDxARoekBXtn+90
jxjjflSNUKfllzSnHG+hifJ6vSBDwbwe6egUZ/OyihhSWMWOnKuBePWn6NmWNNTh
yXsdh0r4xTcq5s8accqjWVX+lZ+6c6uVwSabKzohlOhm889/OUWQLF1QrcIAGYm3
79c0IdLEkjyRDQyk2bY=
=FJqQ
-----END PGP SIGNATURE-----

Back to linux.debian.changes | Previous | Next | Find similar

Thread

  Accepted inetutils 2:2.4-2+deb12u3 (source) into oldstable-proposed-updates Debian FTP Masters <ftpmaster@ftp-master.debian.org> - 2026-04-03 22:40 +0200

csiph-web