Inetutils GNU Inetutils

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in GNU Inetutils.

By the Year

In 2024 there have been 0 vulnerabilities in GNU Inetutils . Last year Inetutils had 1 security vulnerability published. Right now, Inetutils is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 1 7.80
2022 1 7.50
2021 1 6.50
2020 0 0.00
2019 0 0.00
2018 0 0.00

It may take a day or so for new Inetutils vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent GNU Inetutils Security Vulnerabilities

GNU inetutils before 2.5 may

CVE-2023-40303 7.8 - High - August 14, 2023

GNU inetutils before 2.5 may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the setuid system call fails when a process is trying to drop privileges before letting an ordinary user control the activities of the process.

Unchecked Return Value

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference

CVE-2022-39028 7.5 - High - August 30, 2022

telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and derivative works has a NULL pointer dereference via 0xff 0xf7 or 0xff 0xf8. In a typical installation, the telnetd application would crash but the telnet service would remain available through inetd. However, if the telnetd application has many crashes within a short time interval, the telnet service would become unavailable after inetd logs a "telnet/tcp server failing (looping), service terminated" error. NOTE: MIT krb5-appl is not supported upstream but is shipped by a few Linux distributions. The affected code was removed from the supported MIT Kerberos 5 (aka krb5) product many years ago, at version 1.8.

NULL Pointer Dereference

The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address

CVE-2021-40491 6.5 - Medium - September 03, 2021

The ftp client in GNU Inetutils before 2.2 does not validate addresses returned by PASV/LSPV responses to make sure they match the server address. This is similar to CVE-2020-8284 for curl.

Insufficient Verification of Data Authenticity

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Linux or by GNU? Click the Watch button to subscribe.

GNU
Vendor

GNU Inetutils
Product

subscribe