Debian alert DSA-6106-1 (inetutils)
| From: | Salvatore Bonaccorso <carnil@debian.org> | |
| To: | debian-security-announce@lists.debian.org | |
| Subject: | [SECURITY] [DSA 6106-1] inetutils security update | |
| Date: | Thu, 22 Jan 2026 07:19:48 +0000 | |
| Message-ID: | <E1vioyq-000T0N-1K@seger.debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-6106-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 22, 2026 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : inetutils CVE ID : CVE-2026-24061 Debian Bug : 1126047 Kyu Neushwaistein discovered that telnetd from inetutils does not sanitize the USER environment variable before passing it on to login. A remote attacker can take advantage of this flaw to login as root, bypassing normal authentication processes. For the oldstable distribution (bookworm), this problem has been fixed in version 2:2.4-2+deb12u2. For the stable distribution (trixie), this problem has been fixed in version 2:2.6-3+deb13u1. We recommend that you upgrade your inetutils packages. For the detailed security status of inetutils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/inetutils Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmlxzzZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0T9DA/+NgbuJjv8lzWbt9LFbEzmytoR6AyZMMQXgLwupKeZ3CeTSj9lj/MPUNqQ JnbkI2rExkbnviYhn53CpyN3IjizRQYaOrIYT4dBhFtk4VApH6JAP30AyEL89VFk y33S6bQCheKbt7NeXacXvKle1KyLT09kv2PrN3p0km5GT3Dfun1oTmwJzAuUoYn2 +4pZy+cInkb3sNmcxRGCszS33wimYUaz/hXNeQWByshzMjsxhhkdIoxmoAkXlXzT aa2kS55GmN6lGFNRjVdXPNUnRtjl3uPHIwvq+R9g4St6QTgtP69E7wx8lhnheogk BSe1+QvCk/wh4jRBdaCBLQZRbM36yG/1DXIsY1veXgG7G8N0yBGan/7hDhD4LNsE 98s1+jNWED5as5m8MN6sMrJpb4IrFEGonB5j5Ov+SfYpcsaf4Yf5ukRLaUJtTKHV dWVWKcVCDPo7tq47nMsmE/POz9rlTUZgpt3/VG1LM1H74XyrDaAgDovNkdd/f+SN H12bz0vpeVhnthshpR+lcIOo7JaQUSnVA5w5NGMM2XpJ3vxvPgK3VZjMBo4P3ysy ympRxS6qvAXMYjYe/7gGoCHfJCNZCMSlKSxDTKgwX/SmBCGdtNmOyMd+P51FY+Tk 1vk4O5c4gUgQ2P6esTmAo6CERYWs7GjK4t7i/LU1MDopDAY2BOI= =hWlj -----END PGP SIGNATURE-----