Re: CVE-2026-28372: Telnetd Vulnerability Report

[Guillem Jover <guillem () debian org>]

Hi!

On Sat, 2026-03-07 at 00:17:55 +0100, Salvatore Bonaccorso wrote:
> On Fri, Mar 06, 2026 at 04:39:23PM +0100, Guillem Jover wrote:
> > I'm not part of the Debian Security Team (I just maintain the inetutils
> > package in Debian), but I think they assigned a CVE because there didn't
> > seem to be one coming from upstream. I guess the expectation would be
> > that if there's a new CVE to be assigned that would be handled by
> > upstream, but if it's needed and it's not forthcoming they might assign
> > another one? (Although the easier way forward would be to reuse the
> > existing one, and issue an update for the DSA.)
>
> I just need to clarify one thing here: The CVE was not assigned by the
> Debian CNA, but as there was no CVE assigned by the issue reported by
> Ron, I requested one from MITRE. There was none assigned in time when
> we released the DSA, and at that point TTBOMK the more general
> issue/root cause indication by Justin Swartz was not known. So the CVE
> request to MITRE was done specifically as for the issue found by Ron.

Right, sorry, as it seems like I forgot about this (where I was even
CCed in later emails mentioning this)!

Thanks,
Guillem