Guillem Jover <[email protected]> writes:
> Hi!
>
> On Thu, 2026-05-28 at 21:24:01 +1000, Tal Carmel wrote:
>> On Wed, May 27, 2026 at 10:25 PM Simon Josefsson wrote:
>> > Tal Carmel writes:
>> > > I'm reaching out on behalf of Delphos Labs because we discovered 2
>> > > vulnerabilities in inetutils.
>> > >
>> > > What email address should we use for security disclosures? We have POCs
>> > > which we would like to send securely.
>> >
>> > Hi! Thanks for studying inetutils. I believe it is fine to share to
>> > this public bug-inetutils list, so we all can help work on investigation
>> > and solutions to problems.
>
>> Just to confirm, are you sure you'd like me to disclose these POCs in a
>> public list? We would prefer to send this over a secure channel as this
>> information could be weaponised and effect current users of inetutils.
>
> Thank you for your thoughtfulness about the disclosure process! Really
> appreciated. While I'm not an upstream GNU inetutils maintainer (I just
> maintain the GNU inetutils packages in Debian), the current disclosure
> stance from upstream has caused extra pressure and undue burden into both
> the distro maintainers and their security teams, to try to get together
> fixes to be able to release security updates for those distros,
Well the last serious, for lack of a better term, issue was from an LLM
thinking that it was reporting a bug privately.
> while there were either no releases from upstream or no ready fixes,
> which for the last iteration lasted for weeks. :/
I think that is important to note that I see absolutely zero benefit
from working on Inetutils. Monetarily, of course not. I would certainly
prefer spending my free time doing literally anything else. I cannot
speak for Simon, but I would not be surprised to hear the situation is
the same for him.
In fact, working on Inetutils probably harms my reputation. That is
probably exaggerating, but it is annoying to read the serial whiners at
watchTowr Labs say stupid stuff like this:
Shamefully, the inetutils project hasn’t actually released a fixed
version of their software (at least at the time of publishing). The
newest version available for download - 2.7 - is still vulnerable.
You’ll need to make sure you clone a fixed commit from git (this one
or newer) and build from source.
As if creating a new release is easier for distributions than a patch.
That said, I think waiting two weeks is better than never receiving a
fix at all.
Collin
