-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 25 Nov 2022 00:45:09 +0100 Source: inetutils Architecture: source Version: 2:1.9.4-7+deb10u2 Distribution: buster-security Urgency: high Maintainer: Guillem Jover <guillem@debian.org> Changed-By: Guilhem Moulin <guilhem@debian.org> Closes: 945861 956084 993476 Changes: inetutils (2:1.9.4-7+deb10u2) buster-security; urgency=high . * Non-maintainer upload by the LTS Security Team. * Cherry-pick patches from s-p-u to fix: + CVE-2019-0053: inetutils' telnet client doesn't sufficiently validate environment variables, which can lead to stack-based buffer overflows. Closes: #945861. + CVE-2021-40491: inetutils' ftp client before 2.2 does not validate addresses returned by PSV/LSPV responses to make sure they match the server address. An evil ftpd can use this flaw to access services in the client's private network. This is similar to curl's CVE-2020-8284. Closes: #993476. + CVE-2022-39028: inetutils's telnetd through 2.3 has a NULL pointer dereference which a client can trigger by sending 0xff 0xf7 or 0xff 0xf8. Closes: #956084. * Add d/gbp.conf to point to 'debian/buster' branch. * Add d/salsa-ci.yml. Checksums-Sha1: d88026c81d01b40d51094d17c2fc87de8b4e68cc 2739 inetutils_1.9.4-7+deb10u2.dsc 8dc4e66e80678fe86717d486e470b395258c2fd5 98576 inetutils_1.9.4-7+deb10u2.debian.tar.xz 65e9c78ef82ce9429165c0bb4d58bca91aa33eba 13239 inetutils_1.9.4-7+deb10u2_amd64.buildinfo Checksums-Sha256: e1f6f63ae981dbdf239a51995cf0e045fd6ebb630dc7d4274e26945dd15c3ce2 2739 inetutils_1.9.4-7+deb10u2.dsc 005490d899975de4c73b506b535f36b6fab692da1c919ebd5b6f33ca4880c97b 98576 inetutils_1.9.4-7+deb10u2.debian.tar.xz 0ba7fb609affb08d7d87879590f4ed6142cf0cf37ce774fe0d6940c38ad8931c 13239 inetutils_1.9.4-7+deb10u2_amd64.buildinfo Files: 5f71e2117dff69fa614a353144416b5d 2739 net optional inetutils_1.9.4-7+deb10u2.dsc e564a267e1bc3625a14670524b6b457f 98576 net optional inetutils_1.9.4-7+deb10u2.debian.tar.xz eb259e2b837703a624c419c187c5015e 13239 net optional inetutils_1.9.4-7+deb10u2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmOAAyYACgkQ05pJnDwh pVIIBxAAj/uu/8i712d0+3GOxjMaDU5o96Z1p8WWEFvKq9fvlsrAZOAdSGYjNCih Bat+d938OPa1H1RMosYjC/kPwRglgAVpE22p/3LMnrulO2mAv3psnoU9aSrGh0tU xwN+3Tkjl8/VC9Cl1oYDLJNKfkOvtgqrqLInxvlU1Tx1xNqehpgWhIZobPHgBDOT CxCWjuUHAdQlNnI5H5qBb8wa9zNh2MWXfRrjdEY3WjCFqN8fmxTFYfQ0Z4pIqNlM tdz/3+Qmkm2s3IvkujDZyifFFDNu7GGpy4XK+PXyKAgj5Me3aFG+yhg2LB7ioB+p XtzcnkXzpDoliGJsfKrVA2u2X+sd3oID/f/iYXwmt4eUMJ+PoQLGmErKG5aSsYst I6V+LrFmYTXLE/uSOjSURpo2yXTzHMXPJIYf1aUVf8X0vlnOorkLUXxBOTew7C6M R+8g5AUSCLXtFmLHYgYp0/AgYnkUv/ON6vxvSEpYb2JyfQvXaSRlfCYzaBpiaoWF XHW7G2wSQv1IZYvYKyk9MawEDwCPhU2Hfs+9LYbwM1O3crWHK+ERwrc3oLVsCcgc DT+/jjLA0zAJtWaXwJzvmTkZrue7e5Ej4dxeL19DFzVjhmJy8npznIRuIAS1E51C dGtMvPV9Pj4gNoOVXr6KNBg4Vv71N+rKvZ6JgE3GnsKRcdrg+ec= =A4wv -----END PGP SIGNATURE-----