This bug was fixed in the package inetutils - 2:2.8-2ubuntu1
---------------
inetutils (2:2.8-2ubuntu1) stonking; urgency=medium
* Merge with Debian unstable (LP: #2153307). Remaining changes:
- Do not test the inetutils-ping package (LP #2009814)
+ d/t/test-root-commands: disable ping tests.
+ d/t/control: remove inetutils-ping dependency.
inetutils (2:2.8-2) unstable; urgency=medium
* Remove no longer used spelling-error-in-binary lintian override.
* Remove unused /var/log/ppp.log logrotate handling.
* Merge individual logrotate log file entries into two entries.
* Reload inetutils-syslogd for all logrotate entries.
* Switch to /run/xconsole for all systems with a compat symlink from /dev.
* Remove /var/log/news/news.* log handling. (Closes: #1135791)
* Remove /var/log/lpr.log log handling.
* Remove /var/log/uucp.log log handling.
* Enable /var/log/cron.log log handling for cron facility.
* Place /var/log/syslog as the first log file, before /var/log/auth.log.
* Move commented out tty log handling entry to an example config fragment.
* Move enabled xconsole log handling entry to an example config fragment.
* Fix typos in syslog.conf(5) man page.
* Add explicit mentions of /etc/syslog.d/ into man pages.
inetutils (2:2.8-1ubuntu1) stonking; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Do not test the inetutils-ping package (LP #2009814)
+ d/t/test-root-commands: disable ping tests
+ d/t/control: remove inetutils-ping dependency
inetutils (2:2.8-1) unstable; urgency=medium
* New upstream release.
- Remove patches merged upstream.
- Update copyright years.
- Update telnetd man page to remove --debug option.
* Remove build dependency on debhelper (>= 13.10) implied by
debhelper-compat (= 13) since Debian bookworm.
* Remove build dependencies on automake, autoconf and libtool implied
by debhelper-compat (>= 10) since Debian stretch.
* Switch to Standards-Version 4.7.4 (no changes needed).
* Improve package descriptions:
- Do not capitalize program names, instead prefix them with "the".
- Clarify these are GNU tools.
- Clarify that inetutils-ping contains ping and ping6 for ICMP and ICMP6.
- Add FTP acronym to the synopsis.
- Use talk client/server instead of tools to talk/communicate with users.
- Fix grammar for inetutils-talkd.
* Add a source package Description field.
inetutils (2:2.7-5) unstable; urgency=medium
* Adapt netkit-telnet patch to not leak unexported environment variables to
telnetd. Reported by Justin Swartz <[email protected]>.
Fixes CVE-2026-32772. (Closes: #1130741)
* Prevent user local privilege escalation using --debug, which was
susceptible to symlink attacks, or leaking on-wire credentials to a
user that had pre-created the file and kept it open. Fix by switching
from /tmp/telnet.debug to /run/telnet/debug.<pid>, and making the
setup error checks fatal.
Partially reported by Justin Swartz <[email protected]>.
* Update local telnetd man page to match new --debug behavior.
* Fix typo in AUTHORS file. (Closes: #1127398)
inetutils (2:2.7-4) unstable; urgency=high
* Update patch metadata.
* Add patches from upstream:
- Ignore all environment options from clients unless the variable was
listed in the new --accept-env telnetd option. This mitigates privilege
escalation using environment variables.
This is the complete fix for CVE-2026-24061, with its own CVE pending.
- Fix stack buffer overlflow processing SLC suboption triplets.
Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
Daniel Lubel at DREAM Security Research Team.
Fixes CVE-2026-32746. (Closes: #1130742)
inetutils (2:2.7-3) unstable; urgency=high
* Add patch from upstream:
- Prevent privilege escalation via telnetd abusing systemd service
credentials support added to the login(1) implementation of util-linux in
release 2.40. Reported by Ron Ben Yizhak <[email protected]>.
Fixes CVE-2026-28372.
* Remove unused lintian override very-long-line-length-in-source-file.
-- Zineb Zaadoud <[email protected]> Tue, 16 Jun 2026
22:02:01 +0200
** Changed in: inetutils (Ubuntu)
Status: New => Fix Released
** CVE added: https://cve.org/CVERecord?id=CVE-2026-24061
** CVE added: https://cve.org/CVERecord?id=CVE-2026-28372
** CVE added: https://cve.org/CVERecord?id=CVE-2026-32746
** CVE added: https://cve.org/CVERecord?id=CVE-2026-32772
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2153307
Title:
Merge inetutils from Debian for stonking cycle
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/inetutils/+bug/2153307/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
