Hi, I think it would be fine to adjust the attribution, would something like the following be OK?
----------------8<---------------- diff --git a/NEWS.md b/NEWS.md index f5172a71..2d575efa 100644 --- a/NEWS.md +++ b/NEWS.md @@ -8,7 +8,7 @@ improvements and security advisory by Simon Josefsson. ** Prevent privilege escalation via telnetd abusing systemd service credentials support added to the login(1) implementation of util-linux -in release 2.40. Reported by Ron Ben Yizhak in +in release 2.40. Reported by Ron Ben Yizhak@SafeBreach in <https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. ** telnet: Drop everything related to TN3270. diff --git a/THANKS b/THANKS index ef5f6063..f6e725f1 100644 --- a/THANKS +++ b/THANKS @@ -10,7 +10,7 @@ In particular: Nathan Neulinger (tftpd) Thomas Bushnell (sockaddr sin_len field) Kyu Neushwaistein (reported remote root exploit in telnetd) - Ron Ben Yizhak (reported privilege escalation via telnetd) + Ron Ben Yizhak@SafeBreach (reported privilege escalation via telnetd) Please see version control logs and ChangeLog.? for full credits. ---------------->8---------------- Any objections? Cheers, Erik On Mon, Feb 16, 2026 at 02:03:01PM +0200, Ron Ben Yizhak wrote: > Hi, > > Thank you for handling my report and fixing the vulnerability. As this > finding was done as part of my job at SafeBreach, it is very important for > us that SafeBreach will be mentioned in the patch. > Could you please change the THANKS and NEWS.md file to say Ron Ben > Yizhak@SafeBreach instead of Ron Ben Yizhak? > > Also, when will a CVE be assigned for this vulnerability? > Thank you, > Ron Ben Yizhak > > On Sun, Feb 15, 2026 at 7:21 PM Erik Auerswald <[email protected]> > wrote: > > > Hi Simon, > > > > On Sun, Feb 15, 2026 at 04:36:56PM +0100, Simon Josefsson wrote: > > > Erik Auerswald <[email protected]> writes: > > > > > > > I plan to commit and push the attached patch in a few days to address > > > > this vulnerability, unless there are reasonable objections. > > > > > > Thanks -- I wish we could implement the --accept-env approach and make > > > the default not set any environment variables at all, but I don't have > > > cycles to work on that. Anyone else? > > > > Me neither. > > > > > Your patch seems to close this vulnerability report in a most minimal > > > way, so IMHO we should apply it. > > > > I have just applied it. > > > > Cheers, > > Erik
