[SECURITY] [DSA 6144-1] inetutils security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6144-1] inetutils security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 19 Feb 2026 20:41:17 +0000
Message-id: <[🔎] E1vtApp-00Dikn-2M@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6144-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 19, 2026                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : inetutils
CVE ID         : not yet available

Ron Ben Yizhak discovered that the inetutils implementation of telnetd
didn't sanitise the CREDENTIALS_DIRECTORY environment variable before
passing it to the login binary. This could be exploited to bypass
authentication and login as root.

For the stable distribution (trixie), this problem has been fixed in
version 2:2.6-3+deb13u2.

We recommend that you upgrade your inetutils packages.

For the detailed security status of inetutils please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/inetutils

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmmXdTNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QRKQ/+K63a70DREAiZYGWbxQ2isYHdARYE6UYvqu2oU1klKk5FGEYh9T1yHlD1
5+RUhZf9xGwRqm7Zj1Ok8y5vAm/rvTnHf5jK1f+eBpV7cI/t7aD8cBpjL3HVr3Lg
ve+0AWjKnew3mWsenfVqCD1jOP0emk99YRsJitdnyNQimG1GBXlAJXxLyfE/p5o8
AfpYr34q0XcGCRW2JfKjUxqHiUlk0XnQbX5NnGo4ptU8R3itJLTy4E7pO7ivzlXm
bOGRX7HYZ7b0R+BBiS9STXtOma5gnfICZ7rV17XwuNn4Qq6dcB7uQaBOIc8HzZL2
b4nfIwQB/WVI76tWwwOrBsAkKwFbGLLL+rOTp9SL8KJZNGmK0nR8NmHemOQHzgYm
SzaqrwATxiBuXIbifL7crMf6rJtwSmKMPgM4UhIHFlBPKKN6++RFnzE3Ys1Wx7HH
WXilxZHENnXLYKPK74H4SKT2Oiqi8wsgH+nnVBXG5G4EcXGe46om6la9dKcu8Rr0
wKKeQKOr4lsfdiAWlSq+I6aJAJWatEXIYJ0y+zOAkmt1Ytaj+ii6ltLvuHWCc42V
1yH2rnGps7GHEQRsy8YcxIg/mUhT4M6OKrzVbb2VelRu8+6MFAz/GBl80Dwcrjau
stIqNt7r7vwk1wHGPr+6IZWvdSWQbuo23O0Pd0OHU/yi6gBXQOQ=
=wPpk
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6143-1] libvpx security update
Next by Date: [SECURITY] [DSA 6145-1] nova security update
Previous by thread: [SECURITY] [DSA 6143-1] libvpx security update
Next by thread: [SECURITY] [DSA 6145-1] nova security update
Index(es):
- Date
- Thread