Home / mailings [SECURITY] [DSA 6144-1] inetutils security update
Posted on 19 February 2026
Debian Security Advisory- -------------------------------------------------------------------------
Debian Security Advisory DSA-6144-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 19, 2026 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : inetutils
CVE ID : not yet available
Ron Ben Yizhak discovered that the inetutils implementation of telnetd
didn't sanitise the CREDENTIALS_DIRECTORY environment variable before
passing it to the login binary. This could be exploited to bypass
authentication and login as root.
For the stable distribution (trixie), this problem has been fixed in
version 2:2.6-3+deb13u2.
We recommend that you upgrade your inetutils packages.
For the detailed security status of inetutils please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/inetutils
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
