Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted inetutils 2:2.0-1+deb11u4 (source) into oldoldstable-security
Date: Sat, 11 Apr 2026 08:10:16 +0000
Signed by: Andreas Henriksson <ah@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 11 Apr 2026 09:28:17 +0200
Source: inetutils
Architecture: source
Version: 2:2.0-1+deb11u4
Distribution: bullseye-security
Urgency: high
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Andreas Henriksson <andreas@fatal.se>
Closes: 1130741 1130742
Changes:
 inetutils (2:2.0-1+deb11u4) bullseye-security; urgency=high
 .
   * Non-maintainer upload by the LTS Security Team.
   * Add patch from upstream:
     - Prevent privilege escalation via telnetd abusing systemd service
       credentials support added to the login(1) implementation of util-linux in
       release 2.40. Reported by Ron Ben Yizhak <ron.benyizhak@safebreach.com>.
       Fixes CVE-2026-28372.
     - Ignore all environment options from clients unless the variable was
       listed in the new --accept-env telnetd option. This mitigates privilege
       escalation using environment variables.
       This is the complete fix for CVE-2026-24061, with its own CVE pending.
     - Fix stack buffer overflow processing SLC suboption triplets.
       Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
       Daniel Lubel at DREAM Security Research Team.
       Fixes CVE-2026-32746. (Closes: #1130742)
     - Do not leak unexported env vars to telnetd. Reported by
       Justin Swartz <justin.swartz@risingedge.co.za>. Fixes CVE-2026-32772.
       (Closes: #1130741)
   * Add the hashcode-string1 module from forky/sid gnulib adapted to bookworm
     required by the --accept-env patch, and the gl_hash_set, gl_set, gl_xset
     and gl_anyhash bookworm gnulib modules required by hashcode-string1.
     Inject new gnulib modules in lib/Makefile.am.
   * Prevent user local privilege escalation using --debug, which was
     susceptible to symlink attacks, or leaking on-wire credentials to a
     user that had pre-created the file and kept it open. Fix by switching
     from /tmp/telnet.debug to /run/telnet/debug.<pid>, and making the
     setup error checks fatal.
     Partially reported by Justin Swartz <justin.swartz@risingedge.co.za>.
   * Update local telnetd man page to match new --debug behavior.
Checksums-Sha1:
 e48f05c5ead354fdbbb0daafe84f31121a563477 3088 inetutils_2.0-1+deb11u4.dsc
 9aee727905c1954a63152adf48feeb4ffde0e687 1496632 inetutils_2.0.orig.tar.xz
 10f1812f636b1fcac97151e8b94de9df4c919a52 488 inetutils_2.0.orig.tar.xz.asc
 2e8c19c3df7065ad48704760a7cbc89f24aa4f8a 94744 inetutils_2.0-1+deb11u4.debian.tar.xz
 627ced8f414ce16ccb86ef42f9e411da88ce8557 6552 inetutils_2.0-1+deb11u4_source.buildinfo
Checksums-Sha256:
 7626cb479a65f96762c864c2fbde193e9c233d35a31613eb1c2220ec214d1dea 3088 inetutils_2.0-1+deb11u4.dsc
 e573d566e55393940099862e7f8994164a0ed12f5a86c3345380842bdc124722 1496632 inetutils_2.0.orig.tar.xz
 c2c57f72a5078ca12ce552c6d3940a7e516b83395e62b926d3c0493f45627df3 488 inetutils_2.0.orig.tar.xz.asc
 7cb17d625ad515f373e5250d184860a94e8c922ff6e42450f9596a94b0d53705 94744 inetutils_2.0-1+deb11u4.debian.tar.xz
 c844a30aaf6881134faa7811657a702a306b44b1f77d657ca0cb25b36f1e8f60 6552 inetutils_2.0-1+deb11u4_source.buildinfo
Files:
 974c7455fb67b80dd464a9e680022add 3088 net optional inetutils_2.0-1+deb11u4.dsc
 5e1018502cd131ed8e42339f6b5c98aa 1496632 net optional inetutils_2.0.orig.tar.xz
 6b0569cb29fdf8955c1f048dfd1fa221 488 net optional inetutils_2.0.orig.tar.xz.asc
 d5bb42545c46e23f9c9d3ca16e723005 94744 net optional inetutils_2.0-1+deb11u4.debian.tar.xz
 cd12377012fe7b9800065853ba438371 6552 net optional inetutils_2.0-1+deb11u4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAmnZ/gkACgkQC8R9xk0T
Uwah/w//ev57Uhinks+7hLo3uQnxrqi6FjZy5cq6860++gaPAwNmFXZ/yuZOJNYT
7X/quMpuraQNYSs6x4G8UPHRyNlK2ZlkCyVYtVFKLcSp6O8EnFg7PjNbkIeAL/nW
9xbPZvBZBN6zVed20cf52hLA7ipozKDzeTDl9RRxCrUefIfg5aBEYvJ7FjRLWBa5
Abch6356zQJeQ1tWLfymV/BvbA9OWR+j1kTTpsQ7uD+WuNWHpFeZ+LI8iLbJ438n
wjeusYg8BU56xsidSXo/vXtvO5NtsUtPjryUoURs0FS8AOpozJqwUvB0cUKG6wiO
ptJ2tLL3SkRYoodtIwirBqu/iNstq+sMha++8FZhVreGlcpsuP+Yg1Q4bdrLky5L
YGDwBMxT5vO0MtbqOhhpdoEVQ81xEfXiIVtB/J3KglEMwQhs8fxnXJHjlVTlSg8q
kpE5FvB0CDYjub65sqEPWyLNEf911vYGrP7Vt5XU77wW4BD54iH6myEkt7gzGxp6
QdO8z6qkkshZbdPZmYKGz+tAIk5nA4wuj501zkTfC5UUQMcs0kou8ngsm4ITvnMg
JbEAsaj5KPwleYUWGKop+JHwYuTtG4PfR7VhN8oMEgdO5WS0niM8AoM5cd7eXJf4
pdJBmXrs7wbDihwIOvPpeLtjLNWMfHU4ZbW5CoOP/gPSPJknBNY=
=hHqd
-----END PGP SIGNATURE-----
News for package inetutils
