Debian alert DLA-4453-1 (inetutils)
| From: | Andreas Henriksson <andreas@fatal.se> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 4453-1] inetutils security update | |
| Date: | Sun, 25 Jan 2026 00:04:16 +0100 | |
| Message-ID: | <2cpu3gldffr42zmpkp32mowsee4m75xnu2gpktjncaem6xsocd@gtxzpiwerswi> |
------------------------------------------------------------------------- Debian LTS Advisory DLA-4453-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Andreas Henriksson January 25, 2026 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : inetutils Version : 2:2.0-1+deb11u3 CVE ID : CVE-2026-24061 Debian Bug : 1126047 Kyu Neushwaistein aka Carlos Cortes Alvarez found that inetutils, a collection of common network programs, was vulnerable to an authentication bypass problem in telnetd, which could lead to remote root shell access (if telnetd is enabled and exposed). As described also in the GNU InetUtils security advisory, it is not recommended to run telnetd server at all. At a minimum, restrict network access to the telnet port to trusted clients only. There is after all no encryption built into the telnet protocol, so authentication details would be sent in plain text over the network (which thus needs to be trusted). For more details see the GNU InetUtils Security Advisory: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/... For Debian 11 bullseye, this problem has been fixed in version 2:2.0-1+deb11u3. We recommend that you upgrade your inetutils packages. For the detailed security status of inetutils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/inetutils Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+uHltkZSvnmOJ4zCC8R9xk0TUwYFAml1T+4ACgkQC8R9xk0T UwY/tw/+PLdmyu7EVKkFo7xfsDyJQhpAOHbsznSJIxvRziOvvbxx/KeN2S2fHxxM xphrXjfPIgEMCHVP8bw0rPXM/dPBTdbO4O+0H9/lPxmdHyaxGhD7zqMUYw6wAsyl GkTr9M5Qpu9X4dyCqPKEvvR98XC/uUrON6AkxJftIfXmX2+GVUXyBb358a2K5V9g zjjnzwTl7CXGN3oqFBhl6JhbtfS3XZXucsqt74ksBffOJf1v4ZGQn9BsrC+0J0OL PampdzBV3mWefYTUgmRQKxtWexYqWZfRbznBkUarAXOv1YIG0Ex/ALEorI/mHXH8 JXMsl/b2UUTsTXCNMBbQCr8CPUm7Uahyx308H1Eh+55qhXvNd11m6rUAEiAhpJ+m TrEasFPxdhDMEZ8CCxSdnLD/TGpFNQwek9JbJB4cX4UmlDpV/bRE0qXe2Lcg+uYp NDYoFuRJEUKxHw5SwKijYu81PKT90pnJK5WFXc01WCcTSSGUHco+yiZP+75kwV/7 L0gVgdQBgBSWbSdBsOUcPGWTboRd8CKZ2+4lfSQm/mqr11APGJqsnJ0470E5wuWX hbvvZOFFrN/rk5MKqRM2aOutzsAmThUFET7vHDVoREx2bhqf3S3u++bo83bTANmj 7iox7xQNLrnOYSqa/kP1KUc39eVuekmrJLk6bLE/erfuQsXqE3o= =2OYz -----END PGP SIGNATURE-----