Your message dated Mon, 16 Mar 2026 09:04:28 +0000
with message-id <[email protected]>
and subject line Bug#1130742: fixed in inetutils 2:2.7-4
has caused the Debian Bug report #1130742,
regarding inetutils: CVE-2026-32746
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1130742: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130742
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: inetutils
Version: 2:2.7-3
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded:
https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for inetutils.
CVE-2026-32746[0]:
| telnetd in GNU inetutils through 2.7 allows an out-of-bounds write
| in the LINEMODE SLC (Set Local Characters) suboption handler because
| add_slc does not check whether the buffer is full.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32746
https://www.cve.org/CVERecord?id=CVE-2026-32746
[1] https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: inetutils
Source-Version: 2:2.7-4
Done: Guillem Jover <[email protected]>
We believe that the bug you reported is fixed in the latest version of
inetutils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guillem Jover <[email protected]> (supplier of updated inetutils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Mar 2026 09:22:45 +0100
Source: inetutils
Architecture: source
Version: 2:2.7-4
Distribution: unstable
Urgency: high
Maintainer: Guillem Jover <[email protected]>
Changed-By: Guillem Jover <[email protected]>
Closes: 1130742
Changes:
inetutils (2:2.7-4) unstable; urgency=high
.
* Update patch metadata.
* Add patches from upstream:
- Ignore all environment options from clients unless the variable was
listed in the new --accept-env telnetd option. This mitigates privilege
escalation using environment variables.
This is the complete fix for CVE-2026-24061, with its own CVE pending.
- Fix stack buffer overlflow processing SLC suboption triplets.
Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
Daniel Lubel at DREAM Security Research Team.
Fixes CVE-2026-32746. (Closes: #1130742)
Checksums-Sha1:
9f18d2611b28263912bc54e01bc3fb909f1b32bb 3247 inetutils_2.7-4.dsc
300713e04243339aa2d262486eca253c5acb23df 84180 inetutils_2.7-4.debian.tar.xz
458440582fd56f19de88e3b2aac9545ba2ea8bf2 13071 inetutils_2.7-4_amd64.buildinfo
Checksums-Sha256:
479b567c34c47fc8692fdd5ad71d48577a10b6a67cc76613524715d617141da7 3247
inetutils_2.7-4.dsc
d3fc70678ab3af255e46b8b46e46673414e3ec14eaef93adea1a434d49d7b990 84180
inetutils_2.7-4.debian.tar.xz
3e3829c456883fa5ca1fca758ad7fe6f9dc3ea3290103227a180f89e16480b2e 13071
inetutils_2.7-4_amd64.buildinfo
Files:
fafab05a04416c0b239cfd2632149109 3247 net optional inetutils_2.7-4.dsc
c2d9847694e397095bb772441f7760ec 84180 net optional
inetutils_2.7-4.debian.tar.xz
90ce864394a56da63b15c07f45a9a1b9 13071 net optional
inetutils_2.7-4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJpt8CrCRC5cr8+pK5Xo0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmekj6Xp6PP/8Vtvkjxvq1h3DW5D72gk0zdjuEIReiFe
uRYhBE8+dPQ2BQwQ9WlldLlyvz6krlejAAAE3RAAqkSwN5mpR2CxrHiVYVuDhW8I
Q4tOA8PufKDopfSDzxcoOpzVt0BHnFY6PgG0CPMTwCCtEYi+Tqmm6lJSZi2f1PU1
Hz8DbR3UffKVSb8Q55SIffBA4c97kXxFTpZOc/SnhAENu32IPaR1ILXN8JgfPPs0
W/u+WEgYcwUyHLDuzn5NvjXaYWgslaz7pDhSIh0PkVhDqEa5vYED57APegyNwPsa
qblmi7lX6q9LIAb8NdJHbNBUSi/MyA6jTPEdLw/ZGsv5aXRf/FZbAOTX3H6T8BEd
JYYuPHY/cLAKgoil7jqUzouFFcH90NVzm5nIPOojt3WCRcDw5809SMmtDURU0A/T
HK93HEFOHZiUqzusmO0N9KZX7Non9AlYg+HkyeoKvbEWJ+OMEqEc5hr+r6r0Ii40
X9rSh5Ctb7nGoLeE2fssCQCA1j4FXcZWOfMTfr2LQ1S9jmeGL40aodH/NGwWGWbk
fWuSWioGW7bWmC53OGkVsloIRqNm2sh81DTTm+C+znZePvslSXltZFCfXK4B6Jzu
hgCl9IAINB9sWh4u0KuO5O8u9CAt3dSA07Sb+iSV02NTaHJTGtr0KS4sljOFa+mS
LRDzObBG0FzrAIQ+ENItE3ZuuKltlgyuF/kzWcsKS6AuUsiEYDXgi9T0Q1TPcAAz
4kav++g7PvEn2msM+fg=
=Uqd/
-----END PGP SIGNATURE-----
pgpBnYb9KM_8l.pgp
Description: PGP signature
--- End Message ---
