On Fri Mar 13, 2026 at 1:42 PM GMT, Jeffrey Walton wrote:
FYI... from the OSS-Security mailing list at
<https://www.openwall.com/lists/oss-security/2026/03/13/1>. This
caught my eye:
Debian's switch from netkit telnet to inetutils telnet during
the Debian 12 (Bookworm) cycle reintroduced this vulnerability
to the default installation.
Hmm. inetutils-telnet is Priority: standard. (It's the only binary
package built from inetutils source which is). At some point in time, it
would have been reasonable to expect a telnet client on any system. I'm
not sure if that's still true: it's probably due for assessment. I'm not
planning on pursuing this myself, though.
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.
