Skip to content

inetutils: 2.6 -> 2.7, apply patches for CVE-2026-24061#482476

Merged
vcunat merged 1 commit into
NixOS:stagingfrom
LeSuisse:inetutils-2.7-CVE-2026-24061
Jan 25, 2026
Merged

inetutils: 2.6 -> 2.7, apply patches for CVE-2026-24061#482476
vcunat merged 1 commit into
NixOS:stagingfrom
LeSuisse:inetutils-2.7-CVE-2026-24061

Conversation

@LeSuisse

Copy link
Copy Markdown
Member

https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

2.7 release also seems to include another security fix:

syslogd: Fix a stack-based buffer overflow (CWE-121).

Changes:
https://codeberg.org/inetutils/inetutils/src/tag/v2.7/NEWS.md

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

2.7 release also seems to include another security fix:
> syslogd: Fix a stack-based buffer overflow (CWE-121).

Changes:
https://codeberg.org/inetutils/inetutils/src/tag/v2.7/NEWS.md
@LeSuisse LeSuisse added 1.severity: security Issues which raise a security issue, or PRs that fix one backport staging-25.11 labels Jan 21, 2026
@nixpkgs-ci nixpkgs-ci Bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Jan 21, 2026
@vcunat vcunat added this pull request to the merge queue Jan 25, 2026
Merged via the queue into NixOS:staging with commit 2e1d04f Jan 25, 2026
34 of 36 checks passed
@nixpkgs-ci

nixpkgs-ci Bot commented Jan 25, 2026

Copy link
Copy Markdown
Contributor

Successfully created backport PR for staging-25.11:

@github-actions github-actions Bot added the 8.has: port to stable This PR already has a backport to the stable release. label Jan 25, 2026
@LeSuisse LeSuisse deleted the inetutils-2.7-CVE-2026-24061 branch January 25, 2026 09:54
@vcunat

vcunat commented Feb 6, 2026

Copy link
Copy Markdown
Member

I think this is what broke build on *-darwin. Probably on both branches, but we're going first with staging-next-25.11 now:
https://hydra.nixos.org/build/320557018/nixlog/6/tail

@vcunat

vcunat commented Feb 6, 2026

Copy link
Copy Markdown
Member

/cc inetutils.meta.maintainers: @matthewbauer
/cc PR #483601

@vcunat

vcunat commented Feb 7, 2026

Copy link
Copy Markdown
Member

The problem seems to be in the vendored gnulib version, in particular.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: port to stable This PR already has a backport to the stable release. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 1001-2500 This PR causes many rebuilds on Linux and should target the staging branches.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass …

2 participants