...on 2026-01-20 15:00:07, Simon Josefsson wrote: > Vulnerable versions: GNU InetUtils since version 1.9.3 up to and > including version 2.7.
Looking at Debian, this gets even more hilarious... Their changelog for inetutils has: > inetutils (2:1.9.4-7) unstable; urgency=medium > [..] > * Take several patches from upstream git master: > [..] > - 0028-telnetd-Scrub-USER-from-environment.patch > > [..] Sat, 16 Feb 2019 18:09:37 +0100 I have not yet spun up a Debian 9 to see if that version was released as an update, but it presumably would have been safe in this regard. The next entry in their changelog is for Debian 10, > inetutils (2:1.9.4-7+deb10u1) buster; urgency=medium > > * CVE-2020-10188 (Closes: #956084) > > [..] Fri, 18 Sep 2020 20:06:42 +0200 That update fixed a remote code execution in telnetd and apparently reintroduced the environment bug yet another time (I tested that Debian 10 telnetd is vulnerable for this and later versions, and also subsequent Debian and Ubuntu releases)... Alex.
