| Package | inetutils |
|---|---|
| Version | 1.9.4-2+deb9u4 (stretch), 2:1.9.4-7+deb10u4 (buster) |
| Related CVEs | CVE-2026-24061 |
Kyu Neushwaistein aka Carlos Cortes Alvarez found that inetutils, a collection of common network programs, was vulnerable to an authentication bypass problem in telnetd, which could lead to remote root shell access (if telnetd is enabled and exposed).
As described also in the GNU InetUtils security advisory, it is not recommended to run telnetd server at all. At a minimum, restrict network access to the telnet port to trusted clients only. There is after all no encryption built into the telnet protocol, so authentication details would be sent in plain text over the network (which thus needs to be trusted).
For more details see the GNU InetUtils Security Advisory: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html
For Debian 10 buster, these problems have been fixed in version 2:1.9.4-7+deb10u4.
For Debian 9 stretch, these problems have been fixed in version 1.9.4-2+deb9u4.
We recommend that you upgrade your inetutils packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.