[From nobody Mon Jun  1 21:27:11 2026
Received: (at submit) by bugs.debian.org; 31 May 2026 18:45:03 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-20.0 required=4.0 tests=BAYES_00,
 BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
 DKIM_VALID_EF,HAS_PACKAGE,PGPSIGNATURE,RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS
 autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 17; hammy, 87; neutral, 19; spammy, 2.
 spammytokens:0.993-1--H*r:53049, 0.941-+--H*r:bugs.debian.org
 hammytokens:0.000-+--H*ct:pgp-sha256, 0.000-+--XDebbugsCc,
 0.000-+--X-Debbugs-Cc, 0.000-+--H*ct:application,
 0.000-+--H*ct:protocol
Return-path: &lt;daniel@mindani.net&gt;
Received: from mail-4323.protonmail.ch ([185.70.43.23]:53049)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;daniel@mindani.net&gt;) id 1wTl9i-005IdD-37
 for submit@bugs.debian.org; Sun, 31 May 2026 18:45:03 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mindani.net;
 s=protonmail3; t=1780253099; x=1780512299;
 bh=iOjZzYlU4IGsmyMBYfJfwEiWHpi040VroQgDcbKp+dM=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=qNi/IbfzpeGRhUDBACsB4e45UVm4A2gc9TZ7S6mQmMD5GeU9CRD831XuAMh/nFRot
 bgCwpm2D2BQWQOey57AxMed1wcXQvV/m0miesGn2Y5R51oA+pkShW9NuVuAAtPNquC
 QrwjAX50/NCuSJjFt5JJ+efHrHr5myDyNHPqiq9tOdfCS0o4dFbzVMw6lQEDvFPz2q
 Z5YxfnpHrf5pEZcePhbfRB7wCTHqBr0hVE76Wtjm10BPM8Zd2cHwa0Ba6vLm1hKv4J
 tpwnx8l1ioWisuDKsBrKLjw2zRPaQEHKRsRw1/rh9Va5L0o77mBVo1MgKPRVpXHFXz
 4oK180KjMOIDA==
Date: Sun, 31 May 2026 18:44:56 +0000
To: submit@bugs.debian.org
From: Daniel Markstedt &lt;daniel@mindani.net&gt;
Subject: CVE-2026-7837: TOCTOU with root privilege in ad_flush
Message-ID: &lt;b2045ff2-383c-4af8-9c0a-b8b33af683a4@mindani.net&gt;
Feedback-ID: 84350481:user:proton
X-Pm-Message-ID: fea617609bd8f2344034236a6d08866d33f16ef9
MIME-Version: 1.0
Content-Type: multipart/signed; protocol=&quot;application/pgp-signature&quot;;
 micalg=pgp-sha256;
 boundary=&quot;------c0d38dca2e383decfb0a398f0af7c941b01c9e59409db9e874accbcd4f1bfa2f&quot;;
 charset=utf-8
Delivered-To: submit@bugs.debian.org
X-CrossAssassin-Score: 3

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------c0d38dca2e383decfb0a398f0af7c941b01c9e59409db9e874accbcd4f1bfa2f
Content-Type: multipart/mixed;
 boundary=1315125554030ed8432fae337c3640d37f9d78b20a100653ae87a0e37481
Message-ID: &lt;b2045ff2-383c-4af8-9c0a-b8b33af683a4@mindani.net&gt;
Date: Sun, 31 May 2026 20:44:52 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: submit@bugs.debian.org
From: Daniel Markstedt &lt;daniel@mindani.net&gt;
Subject: CVE-2026-7837: TOCTOU with root privilege in ad_flush

--1315125554030ed8432fae337c3640d37f9d78b20a100653ae87a0e37481
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Package: netatalk
Version: 4.4.3~ds-1
Severity: critical
Tags: security
X-Debbugs-Cc: 
team@security.debian.org,pkg-netatalk-devel@lists.alioth.debian.org

will be resolved by upgrading to upstream v4.5.0

--1315125554030ed8432fae337c3640d37f9d78b20a100653ae87a0e37481
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=&quot;publickey - Daniel Markstedt -
 0x3C47642E.asc&quot;; name=&quot;publickey - Daniel Markstedt - 0x3C47642E.asc&quot;
Content-Type: application/pgp-keys; filename=&quot;publickey - Daniel Markstedt -
 0x3C47642E.asc&quot;; name=&quot;publickey - Daniel Markstedt - 0x3C47642E.asc&quot;

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCkNvbW1lbnQ6IGh0dHBzOi8vZ29w
ZW5wZ3Aub3JnClZlcnNpb246IEdvcGVuUEdQIDIuOS4wCgp4c0ZOQkdUeVVBZ0JFQURDRUY2ZHBE
a3VVaGlhd21mbXVxN0tMdmhrelozM1ZPSEMwbW9LaU1ON3lpUTZpdHVBCm5mblNLUWZTVkdYTjUv
TTd5ZTQvNDIvc3dKeWRxQlNGOHMrV1k4bHpIZ0VmZk1hK2NnRitkVS9BS2M4ZlVOMDYKNWFTMlJI
Y1h4QXBBUFp3a0c5OFdmRnBFMjVhbFNLNm1EYk82T2dCRk8zME5USmpVQlNjOHhvV25Ganh2ZC9K
TQp5MDVXNVJmYk56eHgzaGxYaWI5NHNnK3JzWEdVaGt5bjdxR1k4Z0paT3YydXYzaTJzYUwwdGl1
Tk5UZXFGZXJ3CjRnN05CSzhtSzArNkNWcG01Snh4L005MGRsQmQvaGRteVRBWUhGcjlTREh0a2ZR
bUQxVktKUjJCTHU5aGZzcnAKWGlUUDdmekQ1N0JFUzZ2VjREbTZkczg0SXJBTWdPeG5SSUhoaTFt
WDY4YmdYaERQY1YzYkh4dUtabjAzelYydwplYnFzaWZuOXU2elRGQnc0SmxlY2lUSHBSYTd1anh3
cy9NbzM3eWI0Smp0M1lKZ3lkTXNrQSs4RkdnT2xxWGlVCmEwdDhrWUdIQVRTTDhJWTNFVTFJTnVx
dlFYbWo0V0VLK3owNVdpang3SEVYV1lXRWtEaUZCRDVGWG9ZY0w0dkMKUlNyczR0SDl4dmV2VERa
MXdLV0RxUW1oeW94NjRXSnVxR2RVSlFIY1BUMDZKWTZqb0U0eUU3U2N0MklmMGhldQptVk5vTDh5
eVNRUFFwL0N5cU9NOHp0UG0wYnZ4c3ZGOGIzTG16YUZiOTNPRG9iN3pTMHZzbkd0eWpvOC9KbS9v
Clhmb3pDNG5IZ3ZqV09NRUd6VHBMOVVGREFKMlJGdU41RTlzYXpIZkYveDE3Y1JxWm1aNi96THVh
YVFBUkFRQUIKelNWRVlXNXBaV3dnVFdGeWEzTjBaV1IwSUR4a1lXNXBaV3hBYldsdVpHRnVhUzV1
WlhRK3dzR09CQk1CQ2dBNApBaHNEQlFzSkNBY0NCaFVLQ1FnTEFnUVdBZ01CQWg0QkFoZUFGaUVF
UEVka0xrZHVHeGVsYTNvUkl6VlpLaC94CnR0b0ZBbWF3SUxRQUNna1FJelZaS2gveHR0bzQ3dy8v
U3pIQnN4NkFaUjJnMlVwWnFheWNFOEYrSHg5b3lidHoKZTROWEt4endUUFV4RHpYQWlwUVJzMGxS
UGl4ekJQVDZ3TTlOU3hDaUhBMnIwWG9qZFVzaU9YNzFyUVRHOERucAp2SnFxbWxKekc3WXdCakpV
YVpCOHgyQ1pyNXhPUzNCNTYweW5ZN3FpZnNEMzlNR21qZnNlNXhUaWhhTmlPNGMxCnVOaFl4eFUx
RFNLSkZYTGFLNlZNdW1jK0xCbDhuQStsdllTaVJ3UGsybC9DeDdtV2NmTWdHTk9BQ3RCa2J6Z1YK
d01kUC9xUHBCRXZzK2lFa3I1SmZWSTZrK0gzb05mZ3VjS3krRTVRYWg4SHM0RlBhODZTcEF0WXZz
cEhheDRvMwpacnZRVHJ5MFJob1duQWVJM3lVSWlTVzdGbWhmcWZ4ZVMveER2Z1pDYWN6SklUVktl
YUF6K3ZtdndEenpUcHgvCkk4RnJxSTJUejB1eFRVeVNFMkZlN1B2UWpRMHlSU0xoYzFFL3c5aTh0
OXlFTnZUckQ0akZreHVHeFNjUmtxNHQKbExyUlZWRFBYQi9CYlhGakh0OG5QaFg5R2RINGdVTWZv
cTZjVDV4ZVo2Nk1YNVJQanpaTzFRSDl1T3d5YUNObQo2V043RlRMam1aajVwcEl4TXdDeUtGdFJ5
SWdFSTdXRUN5OHRvVlJYMUJKVGx3alZFMlN5WFpkYkhZMGNrdks3CnB3YWM1ejE2MWFadHorVFBj
dWRMc1BybFdIbnhWNmxkbDNTbjk4a1dPTjlWdFV3cXhmdlhpaGhEU2JjMGlqS2sKY0g5clBjdXVM
NnFFR1pYb0xnM1N6bGl4RzZhZDNFenJmcG1kb0lwVmQwdUdnUGZaTWlKQStSTnFGVDBQWFZPOApE
ZERCNWlDZnVZbk93VTBFWlBKUUNBRVFBTVN6aXptTWRsMEt5M0tUMkpuK1VQRG5XK3lKYnpwR2sv
UlNqZW0xCnJFc2dJQW9WQzltdktRQ204eVBWcm1LNTVQbGhnNE5BeUxneTNNVng1Z2s1RUdTbkkr
RTZoZmMyZXhpeG1mR08KaUl6RkhPakc0TXZtWXp3OHRyWjZNQ2Q2VmtQZWtHVml5K2o4RkhVTmNK
MkEyOEhETk9ZSXo2cGJhNTZSZE41Wgo1WkJCalBrTmtDOXUwV1UyQnBjZVdVaXpTUEkxVkxkRlhR
a3lOWDRJTm9sVEJvVTFqOG1FaWJpYWdsUzJrbEVJCkpXeWNqbGVmWllDYW03OXBOa1JuM0xudXlr
Q0xJNXVENVFNV0N0UEZ0aUxTSzZzeGlWYk9rMnZSaGszb1Ria0EKNHF2VFZmaCtaUFpKZnMwdDda
UEJxbmtUaU1tZDhuTUxYdXY3MXRpMWhBOFVYc3J1Z1E1MjVHRGgvNk9rMHNuMApxOUJnM1dQNVZh
Yko0R1VTUEg4MFR3bEFEWFNtVnlBS3IvSk5VK05vL01GN3QySUdiSThnNDhwaC9MUlBWUFZpCnNv
aGNsTTFmVnR6L3NJMmFhK0xweXlFZHl5OXhDKzdKRUdYdkxHSTNmSEFkY0g3enhYc1NOMHNBMVpM
anpQNEwKbmNTOGN5Ri91azVMdG85aEU1YkZJUXBHRnFUQTNpZ29aVDBlTXFSWkRBR3A0VXUzWFho
M2pZVHcxOFpobXVTNwpzdTFnRTh5VEowaWlRaVRmUFNhV2lYN0UzKzJKZjVmQXVINWM5UDNXekRQ
ZUwyQlUzeWtOVzRIYldQbmF6Tkd1Ck9PV3dqNmMwakpGc1o3K25aSFhpWUk5amRsRnVmM1NqNEhF
U0pTbTJGdGFCWVJ5bFJuTmtQRTN2MkhhVENtREYKMlRGSkFCRUJBQUhDd1hZRUdBRUtBQ0FDR3d3
V0lRUThSMlF1UjI0YkY2VnJlaEVqTlZrcUgvRzIyZ1VDWnJBaApRQUFLQ1JBak5Wa3FIL0cyMm4w
MkQvOXdMdWNQZytwMTB5RmRVaVhnb0dndlliRXJLNnU3NTVhN0NOd3NjT2llCmExVDhzbGFOSW03
ZThWTm1VVmpNcFhudVFabGpSb3UxOFVkMmxJL0J2N05LblNoZzhxalRhZkdycWRGeWdPQXgKbUpx
TGNLKzc5RW4zUlZzaFJLZTl3elRhQkErbHhtNUtOOHdLbVRaTWl2aGtZQ3VkV1FkNnRoVjd5a29p
ZVUxTgpyZTNHZ3NNVnpubFBZcEJuZWJUcEV5R3ZWZGdWalVvd293QVNGWVI2M2o5RlRDVHVGUlhy
cmFsUTRZM2JTMDBSCi92cU83YWdGaGJVWUk0MW9LTldKL0hrOFE3VW5tYTRtc3ZjNTZKcnpCbXFq
aEZMODBsWVU4anVJRXFhazA1ZzkKNHZNY3JnbjY0dkhnVjZUc1duMFl4QVZacVR1aExDQ3o2UTNO
OUFQVkFYZE5rWDBwNVZQUEI5NmkraGtEVkVWRwo2ckhIa0wvTHdtTWRxbFlKeDZhRm1VWVFVU21p
a0tGbzNWaWtaMXViNUtuaVRLNDJnNDI5ckZHMEJLaWhuZXRBCk9zU211UVJBU21sRENtUE85bzhr
Z1FReWlCcFc4RkRiSjNhWXRramE3VHJpMS9zMGl0bHdMTkhRSUxlRmdoMDQKTWRJMnE1eDJueEhT
dEdmRENraDIvWkF3U0xHZGlKK3VaMGdYMU1jRVYrc3QvTjU0alo4UU9UeW15RExyVWNJawpxT1B0
VkRacmJsVTJkSmN5VkhERktaNE8yQlJxMkhyNTN6ZEI4VEdjY3Mwc3pZYUpFS2hTcHZHUGMwVU1I
NDBiCnFIU2NDWlk1UDdsVHp2a0piRk0yWWNLQU9hczRNOG9MS054VHluU2psc083S08zbGV5Ti8y
SUQ0eGFpa3FsS2oKUGc9PQo9RHlndwotLS0tLUVORCBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0t
--1315125554030ed8432fae337c3640d37f9d78b20a100653ae87a0e37481--

--------c0d38dca2e383decfb0a398f0af7c941b01c9e59409db9e874accbcd4f1bfa2f
Content-Type: application/pgp-signature; name=&quot;signature.asc&quot;
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=&quot;signature.asc&quot;

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsGpBAEBCABdBYJqHIGnCRAjNVkqH/G22jUUAAAAAAAcABBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3Jng7X96Ac42EC85gCLplZsURYhBDxHZC5HbhsX
pWt6ESM1WSof8bbaAACpKBAAl29HcRQmILvYbn4tTVl46FRgQ6OpZxCZKvxC
wplWgLc/suE08QMNF7cSLVU0mwOVuWkpRovuxTgZ/Ug+v4bcXdq9TGpxxTNc
/7ojRM8dCI+YRB81fxIeh8NE6nII1Y6c4nt+btxR4YFovrydq09tGp4/K3K/
yE9O6QIMCYln49UDkxtFOEWxlRrZzTh07pVLJdBa2UFrzqzSJeCC/gX7Njs6
CIftu149k4rxnsfldx48n7IxtJ/raYbYNpRTReCTmR+6Hm/mZVAKuvhLzmxO
wLddwDQPmYKhjD4RlUPf2cjW35h1XJJVkg2wnpnKq2EzDJ9dzEYJctGRWjJF
lvQ69mjVLeqPXLqqLmK1MIfflrF5zfA8SRO8+4fqdNxsxZxTQ/oY/AzLgWzQ
X2prz72K3vvyod4xYbEB1/nGzjrUeZ0ozSK6pm+i1lhu1VL+9A9FFxm8SKsR
uBPNDnL2aHSoEvY3+DMIXghXoGTgW060Ilm4QBtD469kyHCQ3/Q1GXjF8Xvz
Gg/fA7+LEb5Kg7bFXYZJG6EFqA9R50gokvurxo4xDkkmO+FesHG5t1ZIPvxW
r1xzhGRRwm0obCc2rxl4Wvom84/f/mYNUXq1UMNdHiCC/HHsw2uG+STAi2S7
uVqhuuqAq0T1pCdLfe37IwS5kzQSVu4omQU8z7KA2IqgAmc=
=OvAs
-----END PGP SIGNATURE-----


--------c0d38dca2e383decfb0a398f0af7c941b01c9e59409db9e874accbcd4f1bfa2f--
]