CVS commit: pkgsrc/net/inetutils

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/net/inetutils
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Thu, 30 Apr 2026 05:44:15 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Apr 30 05:44:15 UTC 2026

Modified Files:
        pkgsrc/net/inetutils: Makefile distinfo
Removed Files:
        pkgsrc/net/inetutils/patches: patch-telnetd_utility.c

Log Message:
inetutils: update to 2.8.

# Noteworthy changes in release 2.8 (2026-04-29) [stable]

** telnetd no longer supports the --debug (-D) option.  Previously, it
would open a predictable file name at /tmp/telnet.debug, following it if
it were a symbolic link.  The data printed to it could also be
controlled by a client.  These behaviors could be combined to result in
a local privilege escalation.  Reported by Justin Swartz in
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00040.html>.
Guillem Jover also mentioned that another user can create the file
before telnetd does, keep the file open, and snoop on sessions which may
include credentials in
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00048.html>.

** telnet no longer leaks the value of unexported environment variables
to servers sending the NEW-ENVIRON SEND USERVAR command.
Reported by Justin Swartz in
<https://www.openwall.com/lists/oss-security/2026/03/13/1>.

** telnetd no longer allows clients to write past the end of a stack
allocated buffer, possibly leading to remote code execution, using an
SLC suboption with many triplets using function octets greater than 18.
CVE-2026-32746
Reported by Adiel Sol, Arad Inbar, Erez Cohen, Nir Somech, Ben Grinberg,
Daniel Lubel at DREAM Security Research Team in
<https://lists.gnu.org/r/bug-inetutils/2026-03/msg00031.html>.

** telnetd now ignores all environment options by default.  Environment
variables passed by the new --accept-env option can bypass this
restriction.  This is necessary to avoid vulnerabilities similar to
CVE-2026-28372, since many different environment variables can be used
to escalate privileges.

** Fix telnetd remote authentication by-pass vulnerability.  CVE-2026-24061
Reported by Kyu Neushwaistein.  Initial patch by Paul Eggert; further
improvements and security advisory by Simon Josefsson.

** Prevent privilege escalation via telnetd abusing systemd service
credentials support added to the login(1) implementation of util-linux
in release 2.40.  CVE-2026-28372
Reported by Ron Ben Yizhak@SafeBreach in
<https://lists.gnu.org/archive/html/bug-inetutils/2026-02/msg00000.html>.

** telnet: Drop everything related to TN3270.
The code did not build (several missing required header files) and
even if we could fix it, we have no way to test it. It may contain
security vulnerabilities.

** inetd: Adds new --foreground parameter to avoid forking.
See <https://codeberg.org/inetutils/inetutils/pulls/10>, patch by
Guillem Jover.

** Paths uses $(runstatedir) instead of $(localstatedir)/run for PID files etc.
The intention is that this is a no-op for normal installations, and
the files should end up in the same paths because the default value
for $(runstatedor) is $(localstatedir)/run.

** Some compiler warnings are now enabled by default.
Disable with --enable-gcc-warnings=no.  Based on the Gnulib
manywarnings module, see
<https://www.gnu.org/software/gnulib/manual/html_node/manywarnings.html>.

** configure.ac avoid implicit declaration of tcpd.h hosts_ctl.
Patch and report by Mike Gilbert <floppym%gentoo.org@localhost> in
<https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00026.html>.

** tests: Improve libls test that doesn't work reliably across file systems.
See <https://codeberg.org/inetutils/inetutils/pulls/9>.

** Older ChangeLog.? files not included in release tarball.
They are still available in the git history.  Saves around 0.7MB
uncompressed in the release tarball.  Compare GNU CoreUtils
https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/NEWS?id=4e112e90b11b70bd6dc5b441f820803fc2aadd69.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 pkgsrc/net/inetutils/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/net/inetutils/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/net/inetutils/patches/patch-telnetd_utility.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/inetutils/Makefile
diff -u pkgsrc/net/inetutils/Makefile:1.12 pkgsrc/net/inetutils/Makefile:1.13
--- pkgsrc/net/inetutils/Makefile:1.12  Sun Apr 19 19:15:38 2026
+++ pkgsrc/net/inetutils/Makefile       Thu Apr 30 05:44:15 2026
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.12 2026/04/19 19:15:38 vins Exp $
+# $NetBSD: Makefile,v 1.13 2026/04/30 05:44:15 wiz Exp $
 
-DISTNAME=      inetutils-2.7
-PKGREVISION=   1
+DISTNAME=      inetutils-2.8
 CATEGORIES=    net
 MASTER_SITES=  ${MASTER_SITE_GNU:=inetutils/}
 
@@ -12,6 +11,9 @@ LICENSE=      gnu-gpl-v3
 
 TOOL_DEPENDS+=         help2man-[0-9]*:../../converters/help2man
 
+# as of 2.8:
+# two test failure due to ctype(3) misuse, reported upstream per email
+
 USE_TOOLS+=            makeinfo yacc
 INFO_FILES=            yes
 

Index: pkgsrc/net/inetutils/distinfo
diff -u pkgsrc/net/inetutils/distinfo:1.8 pkgsrc/net/inetutils/distinfo:1.9
--- pkgsrc/net/inetutils/distinfo:1.8   Sun Apr 19 19:15:38 2026
+++ pkgsrc/net/inetutils/distinfo       Thu Apr 30 05:44:15 2026
@@ -1,10 +1,9 @@
-$NetBSD: distinfo,v 1.8 2026/04/19 19:15:38 vins Exp $
+$NetBSD: distinfo,v 1.9 2026/04/30 05:44:15 wiz Exp $
 
-BLAKE2s (inetutils-2.7.tar.gz) = 537183861935001f209af6f8a4a1d9e223bb879aedc4ec0f180a98aaeda2feee
-SHA512 (inetutils-2.7.tar.gz) = 8f36bea126108e8f48f2c436c9ff11684f3bd51c4e48090f0ab8626b8c5878b6dc8c64b84cd7a6220913f68c8602b37c8ac632fe9ef530bf5018c6e51ee1a90b
-Size (inetutils-2.7.tar.gz) = 3157952 bytes
+BLAKE2s (inetutils-2.8.tar.gz) = 4c862ef324da6b9b1ad62d24e56de4918425776fd7d204efaaecd7cdf595e80c
+SHA512 (inetutils-2.8.tar.gz) = 00b33c9d712cf670f16dbefc963fed880088ff67f506df54fd02fdfc0f8c05d379faba5d602c8772c4dc4fd72e1fa8733777d5840784aa86e092eeb5d0f905f7
+Size (inetutils-2.8.tar.gz) = 2985957 bytes
 SHA1 (patch-libinetutils_libinetutils.h) = 4fd40c71340a90cbe606b71655555d98dfc7e2c6
 SHA1 (patch-ping_Makefile.in) = bfc193800d353496ce2dc639803c356eef7a655a
 SHA1 (patch-src_Makefile.in) = a8321822fdd68db4ec86ad232b59aaad92583297
 SHA1 (patch-src_syslogd.c) = 608579f47456d85b29520e7021c86cf80f6faa1c
-SHA1 (patch-telnetd_utility.c) = b47deef43e1b701af085b59ae09604b5a911113c

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index