oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

inetutils-2.8 released with 2 CVE fixes

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 29 Apr 2026 18:50:50 -0700



-------- Forwarded Message --------
Subject: inetutils-2.8 released [stable]
Date: Wed, 29 Apr 2026 16:58:30 +0200
From: Simon Josefsson via Announcements and Requests for Help from the GNU project and the Free Software Foundation 
<info-gnu () gnu org>
Reply-To: Simon Josefsson <simon () josefsson org>
To: info-gnu () gnu org
CC: bug-inetutils () gnu org

This is to announce inetutils-2.8, a stable release.

GNU Networking Utilities (inetutils) contain traditional network
clients, servers and utilities.  Tools include ftp(d), telnet(d), inetd,
rsh(d), rlogin(d), rexec(d), rcp, tftp(d), talk(d), syslogd, ping,
traceroute, whois, hostname, dnsdomainname, ifconfig, logger, and uucpd.

There have been 55 commits by 5 people in the 19 weeks since 2.7.

See the NEWS below for a brief summary.

Thanks to everyone who has contributed!
The following people contributed changes to this release:

  Collin Funk (16)
  Erik Auerswald (2)
  Guillem Jover (5)
  Paul Eggert (1)
  Simon Josefsson (31)

Happy Hacking,
/Simon
==================================================================

Here is the GNU inetutils home page:
    https://www.gnu.org/software/inetutils/

Here are the compressed sources and a GPG detached signature:
  https://ftp.gnu.org/gnu/inetutils/inetutils-2.8.tar.gz
  https://ftp.gnu.org/gnu/inetutils/inetutils-2.8.tar.gz.sig

Here is minimal source-only "git archive" sources:
  https://ftp.gnu.org/gnu/inetutils/inetutils-v2.8-src.tar.gz
  https://ftp.gnu.org/gnu/inetutils/inetutils-v2.8-src.tar.gz.sig

Here are Sigsum Proofs:
  https://ftp.gnu.org/gnu/inetutils/inetutils-2.8.tar.gz.proof
  https://ftp.gnu.org/gnu/inetutils/inetutils-v2.8-src.tar.gz.proof

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA256 and SHA3-256 checksums:

  SHA256 (inetutils-2.8.tar.gz) = V7PPT3dVWZKIHluioJpjsFqixWNCpg7UMFtfRZODkLU=
  SHA3-256 (inetutils-2.8.tar.gz) = RVBNQFrj92kVzDa6adlwNnABhKqQSjG7ENhRvLJ4s5k=

  SHA256 (inetutils-v2.8-src.tar.gz) = p2u2aAYMXSgmak3NUzy/SOmi0lQtG+PlNy5DB9U0zVs=
  SHA3-256 (inetutils-v2.8-src.tar.gz) = nhQ5A77kAPmT2vZduZyjESeRFVnD0gneNP8lUKdG4wg=

Verify the base64 SHA256 checksum with 'cksum -a sha256 --check'
from coreutils-9.2 or OpenBSD's cksum since 2007.

Verify the base64 SHA3-256 checksum with 'cksum -a sha3 --check'
from coreutils-9.8.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify inetutils-2.8.tar.gz.sig

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --recv-keys 51722B08FE4745A2

  wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=inetutils&download=1&apos; | gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify inetutils-2.8.tar.gz.sig

Use the .proof files to verify the Sigsum proof.  These files are like
signatures but with extra transparency: you can cryptographically verify
that every signature is logged in a public append-only log, so you can
say with confidence what signatures exists.  This makes hidden releases
no longer deniable for the same public key.

Releases are Sigsum-signed with the following public key:

  cat <<EOF > inetutils-sigsum-key.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzCFcHHrKzVSPDDarZPYqn89H5TPaxwcORgRg+4DagE
EOF

Run a command like this to verify downloaded artifacts:

  sigsum-verify -k inetutils-sigsum-key.pub -P sigsum-generic-2025-1 \
        inetutils-2.8.tar.gz.proof < inetutils-2.8.tar.gz

You may learn more about Sigsum concepts and find instructions how to
download the tools here: https://www.sigsum.org/getting-started/

This release is based on the inetutils git repository, available as

  git clone https://https.git.savannah.gnu.org/git/inetutils.git

with commit 0502102477fc33eb0fd5f13011aaddda19a56e01 tagged as v2.8.

For a summary of changes and contributors, see:

  https://gitweb.git.savannah.gnu.org/gitweb/?p=inetutils.git;a=shortlog;h=v2.8

or run this command from a git-cloned inetutils directory:

  git shortlog v2.7..v2.8

This release was bootstrapped with the following tools:
  Gnulib 2026-04-19 6466c4b5321eb2625a25e582516c0fa4a5261d05
  Autoconf 2.72
  Automake 1.17
  Bison 3.8.2
  M4 1.4.19
  Makeinfo 7.1.1
  Help2man 1.49.2
  Make 4.4.1
  Gzip 1.14
  Tar 1.35
  Guix 1.5.0rc1

NEWS.md

# Noteworthy changes in release 2.8 (2026-04-29) [stable]

** telnetd no longer supports the --debug (-D) option.  Previously, it
would open a predictable file name at /tmp/telnet.debug, following it if
it were a symbolic link.  The data printed to it could also be
controlled by a client.  These behaviors could be combined to result in
a local privilege escalation.  Reported by Justin Swartz in
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00040.html>.
Guillem Jover also mentioned that another user can create the file
before telnetd does, keep the file open, and snoop on sessions which may
include credentials in
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00048.html>.

** telnet no longer leaks the value of unexported environment variables
to servers sending the NEW-ENVIRON SEND USERVAR command.
Reported by Justin Swartz in
<https://www.openwall.com/lists/oss-security/2026/03/13/1>.

** telnetd no longer allows clients to write past the end of a stack
allocated buffer, possibly leading to remote code execution, using an
SLC suboption with many triplets using function octets greater than 18.
CVE-2026-32746
Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
Daniel Lubel at DREAM Security Research Team in
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.

** telnetd now ignores all environment options by default.  Environment
variables passed by the new --accept-env option can bypass this
restriction.  This is necessary to avoid vulnerabilities similar to
CVE-2026-28372, since many different environment variables can be used
to escalate privileges.

** Fix telnetd remote authentication by-pass vulnerability.  CVE-2026-24061
Reported by Kyu Neushwaistein.  Initial patch by Paul Eggert; further
improvements and security advisory by Simon Josefsson.

** Prevent privilege escalation via telnetd abusing systemd service
credentials support added to the login(1) implementation of util-linux
in release 2.40.  CVE-2026-28372
Reported by Ron Ben Yizhak@SafeBreach in
<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.

** telnet: Drop everything related to TN3270.
The code did not build (several missing required header files) and
even if we could fix it, we have no way to test it. It may contain
security vulnerabilities.

** inetd: Adds new --foreground parameter to avoid forking.
See <https://codeberg.org/inetutils/inetutils/pulls/10>, patch by
Guillem Jover.

** Paths uses $(runstatedir) instead of $(localstatedir)/run for PID files etc.
The intention is that this is a no-op for normal installations, and
the files should end up in the same paths because the default value
for $(runstatedor) is $(localstatedir)/run.

** Some compiler warnings are now enabled by default.
Disable with --enable-gcc-warnings=no.  Based on the Gnulib
manywarnings module, see
<https://www.gnu.org/software/gnulib/manual/html_node/manywarnings.html>.

** configure.ac avoid implicit declaration of tcpd.h hosts_ctl.
Patch and report by Mike Gilbert <floppym () gentoo org> in
<https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00026.html>.

** tests: Improve libls test that doesn't work reliably across file systems.
See <https://codeberg.org/inetutils/inetutils/pulls/9>.

** Older ChangeLog.? files not included in release tarball.
They are still available in the git history.  Saves around 0.7MB
uncompressed in the release tarball.  Compare GNU CoreUtils
https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/NEWS?id=4e112e90b11b70bd6dc5b441f820803fc2aadd69.
Previous By Date Next
Previous By Thread Next

Current thread: