[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: telnetd security vulnerability CVE-2020-10188
From: |
Guillem Jover |
Subject: |
Re: telnetd security vulnerability CVE-2020-10188 |
Date: |
Sat, 11 Apr 2020 20:06:20 +0200 |
On Sat, 2020-04-11 at 13:03:34 -0400, Alfred M. Szmidt wrote:
> > Thank you for your bug report, please specify which inetutils versions
> > you are refering to in pristine condition without any patches. You
> > mention an assert, which assert exactly?
>
> The inetutils version in Debian is based off upstream's 1.9.4 with
> 30 patches from upstream git master, plus 7 local patches (only 3
> of which are pending and relevant to be sent upstream) and all of
> these local patches are completely irrelevant to the issue at hand.
>
> That is a premature, and irresponsible decision to make. Those that
> maintain inetutils cannot possible know that.
>
> The assert is from the python PoC itself. I also mentioned that I've
> not done any proper analysis on anything, not even properly read the
> full advisory, and while my guess is that upstream pristine inetutils
> is pretty much affected, I cannot confirm it. But provided enough
> information, links and context to go from here, which apparently has
> gone unread.
>
> Clearly, that isn't the case -- since _I_ answer the email. What is
> clear is that Debian has no interest in working with upstream. You
> are more insistant to put blame on people working on the code than
> actually take responsibility and trying to corect the situation.
Oh wow, this is all from the start a great example of the GNU Kind
Communication Guidelines being in play…
> So please, someone, take a proper look at the aforementioned information,
> and go from there.
>
> Can you do so, instead of goin off tangets?
Err, seriously? No… right now I've got zero motivation to even think
about dealing with this… I'm out.
Guillem