------------------------------------------------------------------------- Debian LTS Advisory DLA-4453-1 [email protected] https://www.debian.org/lts/security/ Andreas Henriksson January 25, 2026 https://wiki.debian.org/LTS -------------------------------------------------------------------------
Package : inetutils Version : 2:2.0-1+deb11u3 CVE ID : CVE-2026-24061 Debian Bug : 1126047 Kyu Neushwaistein aka Carlos Cortes Alvarez found that inetutils, a collection of common network programs, was vulnerable to an authentication bypass problem in telnetd, which could lead to remote root shell access (if telnetd is enabled and exposed). As described also in the GNU InetUtils security advisory, it is not recommended to run telnetd server at all. At a minimum, restrict network access to the telnet port to trusted clients only. There is after all no encryption built into the telnet protocol, so authentication details would be sent in plain text over the network (which thus needs to be trusted). For more details see the GNU InetUtils Security Advisory: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html For Debian 11 bullseye, this problem has been fixed in version 2:2.0-1+deb11u3. We recommend that you upgrade your inetutils packages. For the detailed security status of inetutils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/inetutils Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
signature.asc
Description: PGP signature
