oss-sec mailing list archives
Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
From: Jakub Wilk <jwilk () jwilk net>
Date: Wed, 21 Jan 2026 14:09:03 +0100
* Alexander Bochmann <ab () lists gxis de>, 2026-01-21 00:16:
...on 2026-01-20 15:00:07, Simon Josefsson wrote:Vulnerable versions: GNU InetUtils since version 1.9.3 up to and including version 2.7.Looking at Debian, this gets even more hilarious... Their changelog for inetutils has:inetutils (2:1.9.4-7) unstable; urgency=medium [..] * Take several patches from upstream git master: [..] - 0028-telnetd-Scrub-USER-from-environment.patch
I think this is unrelated. The bug is reproducible with inetutils-telnetd 2:1.9.4-7 too. -- Jakub Wilk
Current thread:
- GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Simon Josefsson (Jan 20)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann (Jan 20)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Jakub Wilk (Jan 21)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Christian Fischer (Jan 22)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Demi Marie Obenour (Jan 22)
- <Possible follow-ups>
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Paul Ducklin (Jan 28)
- Re: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd Alexander Bochmann (Jan 20)