Hi, I've just pushed the attribution change.
Cheers, Erik On Wed, Feb 18, 2026 at 03:41:00PM +0200, Ron Ben Yizhak wrote: > Hi, > > That is perfect. Thank you! > > On Wed, Feb 18, 2026 at 3:21 PM Erik Auerswald <[email protected]> > wrote: > > > Hi, > > > > I think it would be fine to adjust the attribution, would something like > > the following be OK? > > > > ----------------8<---------------- > > diff --git a/NEWS.md b/NEWS.md > > index f5172a71..2d575efa 100644 > > --- a/NEWS.md > > +++ b/NEWS.md > > @@ -8,7 +8,7 @@ improvements and security advisory by Simon Josefsson. > > > > ** Prevent privilege escalation via telnetd abusing systemd service > > credentials support added to the login(1) implementation of util-linux > > -in release 2.40. Reported by Ron Ben Yizhak in > > +in release 2.40. Reported by Ron Ben Yizhak@SafeBreach in > > <https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. > > > > ** telnet: Drop everything related to TN3270. > > diff --git a/THANKS b/THANKS > > index ef5f6063..f6e725f1 100644 > > --- a/THANKS > > +++ b/THANKS > > @@ -10,7 +10,7 @@ In particular: > > Nathan Neulinger (tftpd) > > Thomas Bushnell (sockaddr sin_len field) > > Kyu Neushwaistein (reported remote root exploit in telnetd) > > - Ron Ben Yizhak (reported privilege escalation via telnetd) > > + Ron Ben Yizhak@SafeBreach (reported privilege escalation via telnetd) > > > > Please see version control logs and ChangeLog.? for full credits. > > > > ---------------->8---------------- > > > > Any objections? > > > > Cheers, > > Erik > > > > > > On Mon, Feb 16, 2026 at 02:03:01PM +0200, Ron Ben Yizhak wrote: > > > Hi, > > > > > > Thank you for handling my report and fixing the vulnerability. As this > > > finding was done as part of my job at SafeBreach, it is very important > > for > > > us that SafeBreach will be mentioned in the patch. > > > Could you please change the THANKS and NEWS.md file to say Ron Ben > > > Yizhak@SafeBreach instead of Ron Ben Yizhak? > > > > > > Also, when will a CVE be assigned for this vulnerability? > > > Thank you, > > > Ron Ben Yizhak > > > > > > On Sun, Feb 15, 2026 at 7:21 PM Erik Auerswald < > > [email protected]> > > > wrote: > > > > > > > Hi Simon, > > > > > > > > On Sun, Feb 15, 2026 at 04:36:56PM +0100, Simon Josefsson wrote: > > > > > Erik Auerswald <[email protected]> writes: > > > > > > > > > > > I plan to commit and push the attached patch in a few days to > > address > > > > > > this vulnerability, unless there are reasonable objections. > > > > > > > > > > Thanks -- I wish we could implement the --accept-env approach and > > make > > > > > the default not set any environment variables at all, but I don't > > have > > > > > cycles to work on that. Anyone else? > > > > > > > > Me neither. > > > > > > > > > Your patch seems to close this vulnerability report in a most minimal > > > > > way, so IMHO we should apply it. > > > > > > > > I have just applied it. > > > > > > > > Cheers, > > > > Erik
