[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: telnetd security vulnerability CVE-2020-10188
|
From: |
Alfred M. Szmidt |
|
Subject: |
Re: telnetd security vulnerability CVE-2020-10188 |
|
Date: |
Sat, 11 Apr 2020 13:03:34 -0400 |
> Thank you for your bug report, please specify which inetutils versions
> you are refering to in pristine condition without any patches. You
> mention an assert, which assert exactly?
The inetutils version in Debian is based off upstream's 1.9.4 with
30 patches from upstream git master, plus 7 local patches (only 3
of which are pending and relevant to be sent upstream) and all of
these local patches are completely irrelevant to the issue at hand.
That is a premature, and irresponsible decision to make. Those that
maintain inetutils cannot possible know that.
The assert is from the python PoC itself. I also mentioned that I've
not done any proper analysis on anything, not even properly read the
full advisory, and while my guess is that upstream pristine inetutils
is pretty much affected, I cannot confirm it. But provided enough
information, links and context to go from here, which apparently has
gone unread.
Clearly, that isn't the case -- since _I_ answer the email. What is
clear is that Debian has no interest in working with upstream. You
are more insistant to put blame on people working on the code than
actually take responsibility and trying to corect the situation.
So please, someone, take a proper look at the aforementioned information,
and go from there.
Can you do so, instead of goin off tangets?