Re: CVS commit: pkgsrc/doc

[Leonardo Taccari <leot%NetBSD.org@localhost>]

Hello Paolo,

Paolo Vincenzo Olivo writes:
> Module Name:  pkgsrc
> Committed By: vins
> Date:         Sat Feb  7 10:00:30 UTC 2026
>
> Modified Files:
>       pkgsrc/doc: pkg-vulnerabilities
>
> Log Message:
> doc: add reference to CVE-2026-24061
> [...]

The CVE-2026-24061 description says "through 2.7" and indeed it seems
that also 2.7 is affected. I have reverted that change and preserved the
existing entry that said "<2.8" (not yet released).

That vulnerability seems fixed by upstream commits:

- ccba9f74 telnetd: Sanitize all variable expansions
- fd702c02 Fix injection bug with bogus user names

That are post-2.7 release.