Control: tag 1130742 pending
Hi!
Bug #1130742 that you reported in package inetutils has been fixed
in the debian/pkgs/inetutils.git git repository. You can see the changelog
below,
and you can check the diff of the fix at:
https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/diff/?id=3c740e9
---
commit 3c740e9fa5f28e57aaf83c3d5fbbbf13ac7955ee (HEAD -> main, tag: 2.7-4)
Author: Guillem Jover <[email protected]>
Date: Mon Mar 16 08:18:04 2026 +0100
Release inetutils 2:2.7-4
diff --git a/debian/changelog b/debian/changelog
index 4b83ef5..83460d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,17 @@
-inetutils (2:2.7-4) UNRELEASED; urgency=medium
+inetutils (2:2.7-4) unstable; urgency=high
* Update patch metadata.
+ * Add patches from upstream:
+ - Ignore all environment options from clients unless the variable was
+ listed in the new --accept-env telnetd option. This mitigates privilege
+ escalation using environment variables.
+ This is the complete fix for CVE-2026-24061, with its own CVE pending.
+ - Fix stack buffer overlflow processing SLC suboption triplets.
+ Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
+ Daniel Lubel at DREAM Security Research Team.
+ Fixes CVE-2026-32746. (Closes: #1130742)
- -- Guillem Jover <[email protected]> Sat, 21 Feb 2026 02:19:34 +0100
+ -- Guillem Jover <[email protected]> Mon, 16 Mar 2026 09:22:45 +0100
inetutils (2:2.7-3) unstable; urgency=high
