| Package | inetutils |
|---|---|
| Version | 2:1.9.4-2+deb9u5 (stretch), 2:1.9.4-7+deb10u5 (buster) |
| Related CVEs | CVE-2026-24061 CVE-2026-28372 CVE-2026-32746 CVE-2026-32772 |
Multiple vulnerabilities where found in telnetd (server) and telnet (client) found in the GNU inetutils suite. The vulnerabilities includes reading arbitrary environment variables from the connecting client (information disclosure), out of bounds write in the server (potential remote code execution) and potentially abusing the service credentials support in util-linux login 2.40 which in not part of Debian buster or stretch, but could potentially be a problem if the local system administrator would decide to update to a newer version on their own accord.
For Debian 10 buster, these problems have been fixed in version 2:1.9.4-7+deb10u5.
For Debian 9 stretch, these problems have been fixed in version 2:1.9.4-2+deb9u5.
We recommend that you upgrade your inetutils packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.