Hello, On Sun, Feb 07, 2021 at 09:06:28PM +0100, Salvatore Bonaccorso wrote: [...] > > 2) possibly unpatched exploit here: > > https://www.exploit-db.com/exploits/48170 > > JFTR, this one was CVE-2020-10188 and in Debian was fixed in earlier > times. > > Replacing telnetd package with an empy package and depending on > inetutils-telnetd: is it possible to basically interchangably replace > those two? If so this might be an option but I'm not sure if at this > stage of the preparations for bullseye it might be too late.
It's not like inetutils is a shining example of perfectness either. #945861 inetutils: CVE-2019-0053 The inetutils also doesn't ship all tools and recommends using existing ones including netkit (eg. in #672295). It also seems to lack features compared to netkit alternatives (eg. SSL). ... "pest eller kolera" ... It seems like Christoph Biedl who did the last NMU has considered adopting the package. Hopefully if that happened the situation around netkit could improve. > > > 1) open bug #974428, causes telnetd to crash, remotely triggerable > > The first issue, if there a verified patch might be good to fix in > time for bullseye. I've pondered uploading the posted patch and since the last maintainer upload was in 2016 I'd orphan the package while doing so.... but I'll consider hijacking it on Christoph Biedl's behalf if he's interested in maintaining it still. Unless there's a conclusion about this bug report I don't really see much point in proceeding though. Regards, Andreas Henriksson
