Hi, Great! Thank you for making this change. What about the CVE?
Best regards, Ron On Thu, Feb 19, 2026 at 9:28 PM Erik Auerswald <[email protected]> wrote: > Hi, > > I've just pushed the attribution change. > > Cheers, > Erik > > > On Wed, Feb 18, 2026 at 03:41:00PM +0200, Ron Ben Yizhak wrote: > > Hi, > > > > That is perfect. Thank you! > > > > On Wed, Feb 18, 2026 at 3:21 PM Erik Auerswald < > [email protected]> > > wrote: > > > > > Hi, > > > > > > I think it would be fine to adjust the attribution, would something > like > > > the following be OK? > > > > > > ----------------8<---------------- > > > diff --git a/NEWS.md b/NEWS.md > > > index f5172a71..2d575efa 100644 > > > --- a/NEWS.md > > > +++ b/NEWS.md > > > @@ -8,7 +8,7 @@ improvements and security advisory by Simon Josefsson. > > > > > > ** Prevent privilege escalation via telnetd abusing systemd service > > > credentials support added to the login(1) implementation of util-linux > > > -in release 2.40. Reported by Ron Ben Yizhak in > > > +in release 2.40. Reported by Ron Ben Yizhak@SafeBreach in > > > < > https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>. > > > > > > ** telnet: Drop everything related to TN3270. > > > diff --git a/THANKS b/THANKS > > > index ef5f6063..f6e725f1 100644 > > > --- a/THANKS > > > +++ b/THANKS > > > @@ -10,7 +10,7 @@ In particular: > > > Nathan Neulinger (tftpd) > > > Thomas Bushnell (sockaddr sin_len field) > > > Kyu Neushwaistein (reported remote root exploit in telnetd) > > > - Ron Ben Yizhak (reported privilege escalation via telnetd) > > > + Ron Ben Yizhak@SafeBreach (reported privilege escalation via > telnetd) > > > > > > Please see version control logs and ChangeLog.? for full credits. > > > > > > ---------------->8---------------- > > > > > > Any objections? > > > > > > Cheers, > > > Erik > > > > > > > > > On Mon, Feb 16, 2026 at 02:03:01PM +0200, Ron Ben Yizhak wrote: > > > > Hi, > > > > > > > > Thank you for handling my report and fixing the vulnerability. As > this > > > > finding was done as part of my job at SafeBreach, it is very > important > > > for > > > > us that SafeBreach will be mentioned in the patch. > > > > Could you please change the THANKS and NEWS.md file to say Ron Ben > > > > Yizhak@SafeBreach instead of Ron Ben Yizhak? > > > > > > > > Also, when will a CVE be assigned for this vulnerability? > > > > Thank you, > > > > Ron Ben Yizhak > > > > > > > > On Sun, Feb 15, 2026 at 7:21 PM Erik Auerswald < > > > [email protected]> > > > > wrote: > > > > > > > > > Hi Simon, > > > > > > > > > > On Sun, Feb 15, 2026 at 04:36:56PM +0100, Simon Josefsson wrote: > > > > > > Erik Auerswald <[email protected]> writes: > > > > > > > > > > > > > I plan to commit and push the attached patch in a few days to > > > address > > > > > > > this vulnerability, unless there are reasonable objections. > > > > > > > > > > > > Thanks -- I wish we could implement the --accept-env approach and > > > make > > > > > > the default not set any environment variables at all, but I don't > > > have > > > > > > cycles to work on that. Anyone else? > > > > > > > > > > Me neither. > > > > > > > > > > > Your patch seems to close this vulnerability report in a most > minimal > > > > > > way, so IMHO we should apply it. > > > > > > > > > > I have just applied it. > > > > > > > > > > Cheers, > > > > > Erik >
