Hi, That is perfect. Thank you!
On Wed, Feb 18, 2026 at 3:21 PM Erik Auerswald <[email protected]> wrote: > Hi, > > I think it would be fine to adjust the attribution, would something like > the following be OK? > > ----------------8<---------------- > diff --git a/NEWS.md b/NEWS.md > index f5172a71..2d575efa 100644 > --- a/NEWS.md > +++ b/NEWS.md > @@ -8,7 +8,7 @@ improvements and security advisory by Simon Josefsson. > > ** Prevent privilege escalation via telnetd abusing systemd service > credentials support added to the login(1) implementation of util-linux > -in release 2.40. Reported by Ron Ben Yizhak in > +in release 2.40. Reported by Ron Ben Yizhak@SafeBreach in > <https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. > > ** telnet: Drop everything related to TN3270. > diff --git a/THANKS b/THANKS > index ef5f6063..f6e725f1 100644 > --- a/THANKS > +++ b/THANKS > @@ -10,7 +10,7 @@ In particular: > Nathan Neulinger (tftpd) > Thomas Bushnell (sockaddr sin_len field) > Kyu Neushwaistein (reported remote root exploit in telnetd) > - Ron Ben Yizhak (reported privilege escalation via telnetd) > + Ron Ben Yizhak@SafeBreach (reported privilege escalation via telnetd) > > Please see version control logs and ChangeLog.? for full credits. > > ---------------->8---------------- > > Any objections? > > Cheers, > Erik > > > On Mon, Feb 16, 2026 at 02:03:01PM +0200, Ron Ben Yizhak wrote: > > Hi, > > > > Thank you for handling my report and fixing the vulnerability. As this > > finding was done as part of my job at SafeBreach, it is very important > for > > us that SafeBreach will be mentioned in the patch. > > Could you please change the THANKS and NEWS.md file to say Ron Ben > > Yizhak@SafeBreach instead of Ron Ben Yizhak? > > > > Also, when will a CVE be assigned for this vulnerability? > > Thank you, > > Ron Ben Yizhak > > > > On Sun, Feb 15, 2026 at 7:21 PM Erik Auerswald < > [email protected]> > > wrote: > > > > > Hi Simon, > > > > > > On Sun, Feb 15, 2026 at 04:36:56PM +0100, Simon Josefsson wrote: > > > > Erik Auerswald <[email protected]> writes: > > > > > > > > > I plan to commit and push the attached patch in a few days to > address > > > > > this vulnerability, unless there are reasonable objections. > > > > > > > > Thanks -- I wish we could implement the --accept-env approach and > make > > > > the default not set any environment variables at all, but I don't > have > > > > cycles to work on that. Anyone else? > > > > > > Me neither. > > > > > > > Your patch seems to close this vulnerability report in a most minimal > > > > way, so IMHO we should apply it. > > > > > > I have just applied it. > > > > > > Cheers, > > > Erik >
