Hi, On Sat, Mar 14, 2026 at 03:58:54PM +0100, Salvatore Bonaccorso wrote: > > The following vulnerability was published for inetutils. > > CVE-2026-32772[0]: > | telnet in GNU inetutils through 2.7 allows servers to read arbitrary > | environment variables from clients via NEW_ENVIRON SEND USERVAR. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2026-32772 > https://www.cve.org/CVERecord?id=CVE-2026-32772 > [1] https://www.openwall.com/lists/oss-security/2026/03/13/1
To add a bit more information (I'm note sure if it should go to security tracker, but definetely would help to be in the BTS), there are two patches mentioned in the oss-security thread restricting the ENVVARS leaked, one in telnet client from openbsd [1][2] and one in netkit-telnet [3][4]. Though at the moment, no upstream patch has surfaced. Cheers, Charles [1] https://www.openwall.com/lists/oss-security/2026/03/13/2 [2] https://github.com/openbsd/src/commit/1a11dc7253488a97d6df686dae9230f78682e8df [3] https://www.openwall.com/lists/oss-security/2026/03/14/2 [4] https://gitlab.com/redhat/centos-stream/rpms/telnet/-/blob/c9s/telnet-0.17-env.patch
