Re: telnetd security vulnerability CVE-2020-10188

[Guillem Jover]

On Sat, 2020-04-11 at 13:03:34 -0400, Alfred M. Szmidt wrote:
>    > Thank you for your bug report, please specify which inetutils versions
>    > you are refering to in pristine condition without any patches.  You
>    > mention an assert, which assert exactly?
> 
>    The inetutils version in Debian is based off upstream's 1.9.4 with
>    30 patches from upstream git master, plus 7 local patches (only 3
>    of which are pending and relevant to be sent upstream) and all of
>    these local patches are completely irrelevant to the issue at hand.
> 
> That is a premature, and irresponsible decision to make.  Those that
> maintain inetutils cannot possible know that.
> 
>    The assert is from the python PoC itself. I also mentioned that I've
>    not done any proper analysis on anything, not even properly read the
>    full advisory, and while my guess is that upstream pristine inetutils
>    is pretty much affected, I cannot confirm it. But provided enough
>    information, links and context to go from here, which apparently has
>    gone unread.
> 
> Clearly, that isn't the case -- since _I_ answer the email.  What is
> clear is that Debian has no interest in working with upstream.  You
> are more insistant to put blame on people working on the code than
> actually take responsibility and trying to corect the situation.

Oh wow, this is all from the start a great example of the GNU Kind
Communication Guidelines being in play…

>    So please, someone, take a proper look at the aforementioned information,
>    and go from there.
> 
> Can you do so, instead of goin off tangets?

Err, seriously? No… right now I've got zero motivation to even think
about dealing with this… I'm out.

Guillem