Debian 10: DLA-3611-1 Critical: Inetutils Code Execution and Escalation
debian lts
October 8, 2023
Security issues were discovered in inetutils, a collection of GNU network utilities, which could lead to privilege escalation or potentially execution of arbitrary code
Topics Covered
Summary
CVE-2019-0053
Thorsten Alteholz discovered that CVE-2019-0053 was patched
incorrectly in inetutils 2:1.9.4-7+deb10u3. The original
vulnerability remained: inetutils' telnet client doesn't
sufficiently validate environment variables, which can lead to
stack-based buffer overflows. (This issue is limited to local
exploitation from restricted shells.)
CVE-2023-40303
Jeffrey Bencteux discovered that several setuid(), setgid(),
seteuid() and setguid() return values were not checked in ftpd/
rcp/rlogin/rsh/rshd/uucpd code, which may lead to privilege
escalation.
For Debian 10 buster, these problems have been fixed in version
2:1.9.4-7+deb10u3.
We recommend that you upgrade your inetutils packages.
For the detailed security status of inetutils please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/inetutils
Further information about Debian LTS security advisories, how to apply
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: inetutils
Version: 2:1.9.4-7+deb10u3
CVE ID: CVE-2019-0053 CVE-2023-40303
Debian Bug: 945861 1049365
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!