diff -Naur inetutils-2.2.orig/libtelnet/genget.c inetutils-2.2-telnet_fixes/libtelnet/genget.c
--- inetutils-2.2.orig/libtelnet/genget.c	2021-05-25 17:54:19.000000000 +0200
+++ inetutils-2.2-telnet_fixes/libtelnet/genget.c	2022-05-15 18:25:10.818177363 +0200
@@ -90,7 +90,7 @@
   register char **c, **found;
   register int n;
 
-  if (name == 0)
+  if (name == 0 || (name[0] == ' ' && name[1] == '\0'))
     return 0;
 
   found = 0;
@@ -98,8 +98,6 @@
     {
       if ((n = isprefix (name, *c)) == 0)
 	continue;
-      if (n < 0)		/* exact match */
-	return (c);
       if (found)
 	return (&ambiguous);
       found = c;
diff -Naur inetutils-2.2.orig/NEWS inetutils-2.2-telnet_fixes/NEWS
--- inetutils-2.2.orig/NEWS	2021-09-01 21:41:08.000000000 +0200
+++ inetutils-2.2-telnet_fixes/NEWS	2022-05-15 18:51:11.356738788 +0200
@@ -1,5 +1,27 @@
 GNU inetutils NEWS -- history of user-visible changes.
 
+* Noteworthy changes in release ?.? (????-??-??) [?]
+
+** telnet
+
+Abort subnegotiation of X Display Location Option with WON'T when DISPLAY
+value is too large for buffer.  Reported by Joerg Mayer in
+<https://lists.gnu.org/archive/html/bug-inetutils/2022-01/msg00010.html>.
+
+Fix off-by-one error in Terminal-Type option subnegotiation if the TERM
+variable has exactly 44 bytes.  This concerns the CVE-2019-0053 fixes.
+Reported by Erik Auerswald in
+<https://lists.gnu.org/archive/html/bug-inetutils/2022-02/msg00004.html>.
+
+Avoid crashing when given unexpected or invalid commands.  Reported by
+Peter Kasza in
+<https://lists.gnu.org/archive/html/bug-inetutils/2017-06/msg00000.html>,
+AiDai in
+<https://savannah.gnu.org/bugs/?61725>,
+<https://savannah.gnu.org/bugs/?61726>,
+and ZFeiXQ in
+<https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00017.html>.
+
 * Noteworthy changes in release 2.2 (2021-09-01) [stable]
 
 ** ftp
diff -Naur inetutils-2.2.orig/telnet/commands.c inetutils-2.2-telnet_fixes/telnet/commands.c
--- inetutils-2.2.orig/telnet/commands.c	2021-05-25 17:54:19.000000000 +0200
+++ inetutils-2.2-telnet_fixes/telnet/commands.c	2022-05-15 18:25:10.818177363 +0200
@@ -135,10 +135,12 @@
   int needconnect;		/* Do we need to be connected to execute? */
 } Command;
 
+#define TELNET_MAX_ARGS 20
+
 static char line[256];
 static char saveline[256];
 static int margc;
-static char *margv[20];
+static char *margv[TELNET_MAX_ARGS];
 
 static void
 makeargv (void)
@@ -162,6 +164,11 @@
 	c = *++cp;
       if (c == '\0')
 	break;
+      if (margc + 1 >= TELNET_MAX_ARGS)
+	{
+	  fprintf (stderr, "Ignoring excess arguments\n.");
+	  break;
+	}
       *argp++ = cp;
       margc += 1;
       for (cp2 = cp; c != '\0'; c = *++cp)
@@ -1139,6 +1146,11 @@
       (*ct->handler) (argv[2]);
       printf ("%s set to \"%s\".\n", ct->name, (char *) ct->charp);
     }
+  else if (!ct->charp)
+    {
+      fprintf (stderr, "'%s': invalid argument ('set ?' for help).\n",
+	       argv[1]);
+    }
   else
     {
       if (strcmp ("off", argv[2]))
@@ -1225,6 +1237,12 @@
 	  (*ct->handler) (0);
 	  printf ("%s reset to \"%s\".\n", ct->name, (char *) ct->charp);
 	}
+      else if (!ct->charp)
+	{
+	  fprintf (stderr, "'%s': invalid argument ('unset ?' for help).\n",
+		   name);
+	  return 0;
+	}
       else
 	{
 	  *(ct->charp) = _POSIX_VDISABLE;
@@ -2934,7 +2952,7 @@
 static char escapehelp[] = "deprecated command -- use 'set escape' instead";
 
 static Command cmdtab2[] = {
-  {"help", 0, help, 0},
+  {"help", helphelp, help, 0},
   {"escape", escapehelp, setescape, 0},
   {"crmod", crmodhelp, togcrmod, 0},
   {NULL, NULL, NULL, 0}
@@ -3093,7 +3111,7 @@
 	printf ("?Ambiguous help command %s\n", arg);
       else if (c == (Command *) 0)
 	printf ("?Invalid help command %s\n", arg);
-      else
+      else if (c->help)
 	printf ("%s\n", c->help);
     }
   return 0;
diff -Naur inetutils-2.2.orig/telnet/telnet.c inetutils-2.2-telnet_fixes/telnet/telnet.c
--- inetutils-2.2.orig/telnet/telnet.c	2021-05-25 17:54:19.000000000 +0200
+++ inetutils-2.2-telnet_fixes/telnet/telnet.c	2022-05-15 18:24:50.037742334 +0200
@@ -863,7 +863,7 @@
 	  name = gettermname ();
 	  len = strlen (name) + 4 + 2;
 
-	  if ((len < NETROOM ()) && (len <= (int) sizeof (temp)))
+	  if ((len < NETROOM ()) && (len < (int) sizeof (temp)))
 	    {
 	      snprintf ((char *) temp, sizeof (temp), "%c%c%c%c%s%c%c",
 			IAC, SB, TELOPT_TTYPE, TELQUAL_IS,
@@ -1011,11 +1011,13 @@
 	  /* Remote host, and display server must not be corrupted
 	   * by truncation.  In addition, every character of telnet
 	   * protocol must remain unsevered.  Check that DP fits in
-	   * full within TEMP.  Otherwise report buffer error.
+	   * full within TEMP.  Otherwise report buffer error and
+	   * turn off the option.
 	   */
 	  if (strlen ((char *) dp) >= sizeof (temp) - 4 - 2)
 	    {
-	      printf ("lm_will: not enough room in buffer\n");
+	      printf ("lm_will: not enough room in buffer for DISPLAY\n");
+	      send_wont (TELOPT_XDISPLOC, 1);
 	      break;
 	    }