-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Mar 2026 16:44:03 +0200
Source: inetutils
Architecture: source
Version: 2:2.6-3+deb13u3
Distribution: trixie-security
Urgency: high
Maintainer: Guillem Jover <guillem@debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Closes: 1130741 1130742
Changes:
 inetutils (2:2.6-3+deb13u3) trixie-security; urgency=high
 .
   * Add patches from upstream:
     - Ignore all environment options from clients unless the variable was
       listed in the new --accept-env telnetd option. This mitigates privilege
       escalation using environment variables.
       This is the complete fix for CVE-2026-24061, with its own CVE pending.
     - Fix stack buffer overflow processing SLC suboption triplets.
       Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
       Daniel Lubel at DREAM Security Research Team.
       Fixes CVE-2026-32746. (Closes: #1130742)
   * Add the hashcode-string1 module from forky/sid gnulib, required by the
     --accept-env patch.
   * Adapt netkit-telnet patch to not leak unexported environment variables to
     telnetd. Reported by Justin Swartz <justin.swartz@risingedge.co.za>.
     Fixes CVE-2026-32772. (Closes: #1130741)
   * Prevent user local privilege escalation using --debug, which was
     susceptible to symlink attacks, or leaking on-wire credentials to a
     user that had pre-created the file and kept it open. Fix by switching
     from /tmp/telnet.debug to /run/telnet/debug.<pid>, and making the
     setup error checks fatal.
     Partially reported by Justin Swartz <justin.swartz@risingedge.co.za>.
   * Update local telnetd man page to match new --debug behavior.
Checksums-Sha1:
 b1efa75df6c4b5f9bde47ccf5ff4503bac12f210 3265 inetutils_2.6-3+deb13u3.dsc
 56b49d8705866cfac2f7630bbbd98a3a6ee35b84 87376 inetutils_2.6-3+deb13u3.debian.tar.xz
 a1e77ec7f222815c383b002e38ab53ee6587e30f 13772 inetutils_2.6-3+deb13u3_amd64.buildinfo
Checksums-Sha256:
 bad8eae566a613de9e9c2970a442780ac7b9fda9b59f6fdf9dd8a5ccb059138e 3265 inetutils_2.6-3+deb13u3.dsc
 20ba33bead85302a04e88ff9e3f9225c83be4e19bfd9df0a5ae5bef63c880f35 87376 inetutils_2.6-3+deb13u3.debian.tar.xz
 b523732d87a32bbc1f749d2b5b5ca9cbd7bf964fa1fdb664510c9a3cbfef3112 13772 inetutils_2.6-3+deb13u3_amd64.buildinfo
Files:
 95df6ca6cca2b1d3ac4e5e836651554b 3265 net optional inetutils_2.6-3+deb13u3.dsc
 55552808143ac2773d4aeef751c73a70 87376 net optional inetutils_2.6-3+deb13u3.debian.tar.xz
 5104b7a9bc160f7a678eb07b9e208017 13772 net optional inetutils_2.6-3+deb13u3_amd64.buildinfo


-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJpy9A/CRC5cr8+pK5Xo0cUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmdlac9sQvmbQYYwArdqVQL0EB4MnxRdjyGxQ+2tyMoU
VRYhBE8+dPQ2BQwQ9WlldLlyvz6krlejAADNOBAAm5dn8cbtQubydg6dEyTsQT8y
stqyAK5MQhxpx3iEn9T2Zli+F0jTNZRPzJ2JKYRC84m9S8TUN5vVQGSzg/gi2G5f
GJ4vbGsNcrlQZoUd9I66h/8OdhB0/g9BYX9PCcvNOJX2wsP+Uh3CD3YIQndh4OuI
/3XWiowzn2rJnzwZz3F+4d1HjwhfOGqfpjJDZalYc+JHtHIHIaJBztUIdagZQcEj
bE4+hF87xiqu55KbHqJcNX/cURh4zS+qhyjDycVKcBhrHWvorQT+7EUflB1sB1h+
+OkXkJPK3LGWaxeM+ICm6iEU6wCwkGaaE5sv7QPv17Pj7XsgXYGlP1ccwjEZnLVf
R6YfySSrVdlJ5YYAVyONJIQbv60rY2nlwk++cGnb06nvfvtMx7GJGnDg1f6fRXhK
iMGFB2wLaLb1Li6p0EMN/ltBr/LTEOJZGWp/hQXyev8ZcNm5UKUukuoajr9bKRQP
uFLInbVPW5nNOKjCQld5jIwsMcuzGres9ch80G+TODC5bA0iN+OJf5a4cl8fS7ie
goF0M8daAfoKLeijsXNHNDY8GdRNzqE4rmgW0wt436jlYG/rzTtVr/ZCsxkIioXn
+AjiySL7wkG+T91jsFfUtscPaQFl1/gkQI+3BZWKTFpUJzSR5rIaIjTgNu1KrPka
B4tk50lYbGsm0pnz2Xw=
=fCK2
-----END PGP SIGNATURE-----