[From nobody Mon Jun  1 21:27:17 2026
Received: (at submit) by bugs.debian.org; 31 May 2026 18:52:18 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-20.0 required=4.0 tests=BAYES_00,
 BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
 DKIM_VALID_EF,HAS_PACKAGE,PGPSIGNATURE,RCVD_IN_DNSWL_LOW,
 RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS
 autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 17; hammy, 89; neutral, 18; spammy, 1.
 spammytokens:0.941-+--H*r:bugs.debian.org
 hammytokens:0.000-+--H*ct:pgp-sha256, 0.000-+--XDebbugsCc,
 0.000-+--X-Debbugs-Cc, 0.000-+--H*ct:application,
 0.000-+--H*ct:protocol
Return-path: &lt;daniel@mindani.net&gt;
Received: from mail-4323.protonmail.ch ([185.70.43.23]:25579)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;daniel@mindani.net&gt;) id 1wTlGk-005Jij-0W
 for submit@bugs.debian.org; Sun, 31 May 2026 18:52:18 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mindani.net;
 s=protonmail3; t=1780253534; x=1780512734;
 bh=11RBuzhS7sTblyjwun7rGsuRyUVcTo1EFDSSRX9xoXY=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=o+bM+M30DiBpy4Q/xoh353rVUSt/v1MnNQ8nOmDG/pCr3AcR8ObQpngZRL1xvdEuY
 /D8VPhIsW4ha0R0WPJlgwAOv44FhAE/rAObBiIakryYONDt0/Pht/pbh0ooZhMBrzU
 bmKgt14S8eSPI5Oahjm9oBgKo4yfYCdPPPR9bVSgfoo18jBqRby1/OdrlP1f44tjwo
 gb/1MwoVM7qVEdV2kHMTst2u3MzaePS98tPR0krk/bLPTVJ7RgpJavNXfwxFfzdPmI
 p0qq2qp/+t6YrPjWJ+6m9w8Po5oy+CQ8dp2TKCHLWQSpgL+J+ng6WUGa4G6MHMRE36
 gN4e/n2XjY7tg==
Date: Sun, 31 May 2026 18:52:09 +0000
To: submit@bugs.debian.org
From: Daniel Markstedt &lt;daniel@mindani.net&gt;
Subject: CVE-2026-44067: EA header parsing heap over-read
Message-ID: &lt;62ef395b-eae7-4d69-8036-0f98779a9605@mindani.net&gt;
Feedback-ID: 84350481:user:proton
X-Pm-Message-ID: e0d690ce6f3331657e3fedbe300a46c2324ee719
MIME-Version: 1.0
Content-Type: multipart/signed; protocol=&quot;application/pgp-signature&quot;;
 micalg=pgp-sha256;
 boundary=&quot;------6af7a1a5078f7901e13b89532810a774a5de9ccca04eaa106a1843251e5c23d7&quot;;
 charset=utf-8
Delivered-To: submit@bugs.debian.org
X-CrossAssassin-Score: 3

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------6af7a1a5078f7901e13b89532810a774a5de9ccca04eaa106a1843251e5c23d7
Content-Type: multipart/mixed;
 boundary=b96824ee88a86d0f803df0c561ab8693dd320bd213b8e47dbee9bd453f59
Message-ID: &lt;62ef395b-eae7-4d69-8036-0f98779a9605@mindani.net&gt;
Date: Sun, 31 May 2026 20:52:05 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: submit@bugs.debian.org
From: Daniel Markstedt &lt;daniel@mindani.net&gt;
Subject: CVE-2026-44067: EA header parsing heap over-read

--b96824ee88a86d0f803df0c561ab8693dd320bd213b8e47dbee9bd453f59
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Package: netatalk
Version: 4.4.3~ds-1
Severity: critical
Tags: security
X-Debbugs-Cc: 
team@security.debian.org,pkg-netatalk-devel@lists.alioth.debian.org

will be resolved by upgrading to upstream v4.5.0

--b96824ee88a86d0f803df0c561ab8693dd320bd213b8e47dbee9bd453f59
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=&quot;publickey - Daniel Markstedt -
 0x3C47642E.asc&quot;; name=&quot;publickey - Daniel Markstedt - 0x3C47642E.asc&quot;
Content-Type: application/pgp-keys; filename=&quot;publickey - Daniel Markstedt -
 0x3C47642E.asc&quot;; name=&quot;publickey - Daniel Markstedt - 0x3C47642E.asc&quot;

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCkNvbW1lbnQ6IGh0dHBzOi8vZ29w
ZW5wZ3Aub3JnClZlcnNpb246IEdvcGVuUEdQIDIuOS4wCgp4c0ZOQkdUeVVBZ0JFQURDRUY2ZHBE
a3VVaGlhd21mbXVxN0tMdmhrelozM1ZPSEMwbW9LaU1ON3lpUTZpdHVBCm5mblNLUWZTVkdYTjUv
TTd5ZTQvNDIvc3dKeWRxQlNGOHMrV1k4bHpIZ0VmZk1hK2NnRitkVS9BS2M4ZlVOMDYKNWFTMlJI
Y1h4QXBBUFp3a0c5OFdmRnBFMjVhbFNLNm1EYk82T2dCRk8zME5USmpVQlNjOHhvV25Ganh2ZC9K
TQp5MDVXNVJmYk56eHgzaGxYaWI5NHNnK3JzWEdVaGt5bjdxR1k4Z0paT3YydXYzaTJzYUwwdGl1
Tk5UZXFGZXJ3CjRnN05CSzhtSzArNkNWcG01Snh4L005MGRsQmQvaGRteVRBWUhGcjlTREh0a2ZR
bUQxVktKUjJCTHU5aGZzcnAKWGlUUDdmekQ1N0JFUzZ2VjREbTZkczg0SXJBTWdPeG5SSUhoaTFt
WDY4YmdYaERQY1YzYkh4dUtabjAzelYydwplYnFzaWZuOXU2elRGQnc0SmxlY2lUSHBSYTd1anh3
cy9NbzM3eWI0Smp0M1lKZ3lkTXNrQSs4RkdnT2xxWGlVCmEwdDhrWUdIQVRTTDhJWTNFVTFJTnVx
dlFYbWo0V0VLK3owNVdpang3SEVYV1lXRWtEaUZCRDVGWG9ZY0w0dkMKUlNyczR0SDl4dmV2VERa
MXdLV0RxUW1oeW94NjRXSnVxR2RVSlFIY1BUMDZKWTZqb0U0eUU3U2N0MklmMGhldQptVk5vTDh5
eVNRUFFwL0N5cU9NOHp0UG0wYnZ4c3ZGOGIzTG16YUZiOTNPRG9iN3pTMHZzbkd0eWpvOC9KbS9v
Clhmb3pDNG5IZ3ZqV09NRUd6VHBMOVVGREFKMlJGdU41RTlzYXpIZkYveDE3Y1JxWm1aNi96THVh
YVFBUkFRQUIKelNWRVlXNXBaV3dnVFdGeWEzTjBaV1IwSUR4a1lXNXBaV3hBYldsdVpHRnVhUzV1
WlhRK3dzR09CQk1CQ2dBNApBaHNEQlFzSkNBY0NCaFVLQ1FnTEFnUVdBZ01CQWg0QkFoZUFGaUVF
UEVka0xrZHVHeGVsYTNvUkl6VlpLaC94CnR0b0ZBbWF3SUxRQUNna1FJelZaS2gveHR0bzQ3dy8v
U3pIQnN4NkFaUjJnMlVwWnFheWNFOEYrSHg5b3lidHoKZTROWEt4endUUFV4RHpYQWlwUVJzMGxS
UGl4ekJQVDZ3TTlOU3hDaUhBMnIwWG9qZFVzaU9YNzFyUVRHOERucAp2SnFxbWxKekc3WXdCakpV
YVpCOHgyQ1pyNXhPUzNCNTYweW5ZN3FpZnNEMzlNR21qZnNlNXhUaWhhTmlPNGMxCnVOaFl4eFUx
RFNLSkZYTGFLNlZNdW1jK0xCbDhuQStsdllTaVJ3UGsybC9DeDdtV2NmTWdHTk9BQ3RCa2J6Z1YK
d01kUC9xUHBCRXZzK2lFa3I1SmZWSTZrK0gzb05mZ3VjS3krRTVRYWg4SHM0RlBhODZTcEF0WXZz
cEhheDRvMwpacnZRVHJ5MFJob1duQWVJM3lVSWlTVzdGbWhmcWZ4ZVMveER2Z1pDYWN6SklUVktl
YUF6K3ZtdndEenpUcHgvCkk4RnJxSTJUejB1eFRVeVNFMkZlN1B2UWpRMHlSU0xoYzFFL3c5aTh0
OXlFTnZUckQ0akZreHVHeFNjUmtxNHQKbExyUlZWRFBYQi9CYlhGakh0OG5QaFg5R2RINGdVTWZv
cTZjVDV4ZVo2Nk1YNVJQanpaTzFRSDl1T3d5YUNObQo2V043RlRMam1aajVwcEl4TXdDeUtGdFJ5
SWdFSTdXRUN5OHRvVlJYMUJKVGx3alZFMlN5WFpkYkhZMGNrdks3CnB3YWM1ejE2MWFadHorVFBj
dWRMc1BybFdIbnhWNmxkbDNTbjk4a1dPTjlWdFV3cXhmdlhpaGhEU2JjMGlqS2sKY0g5clBjdXVM
NnFFR1pYb0xnM1N6bGl4RzZhZDNFenJmcG1kb0lwVmQwdUdnUGZaTWlKQStSTnFGVDBQWFZPOApE
ZERCNWlDZnVZbk93VTBFWlBKUUNBRVFBTVN6aXptTWRsMEt5M0tUMkpuK1VQRG5XK3lKYnpwR2sv
UlNqZW0xCnJFc2dJQW9WQzltdktRQ204eVBWcm1LNTVQbGhnNE5BeUxneTNNVng1Z2s1RUdTbkkr
RTZoZmMyZXhpeG1mR08KaUl6RkhPakc0TXZtWXp3OHRyWjZNQ2Q2VmtQZWtHVml5K2o4RkhVTmNK
MkEyOEhETk9ZSXo2cGJhNTZSZE41Wgo1WkJCalBrTmtDOXUwV1UyQnBjZVdVaXpTUEkxVkxkRlhR
a3lOWDRJTm9sVEJvVTFqOG1FaWJpYWdsUzJrbEVJCkpXeWNqbGVmWllDYW03OXBOa1JuM0xudXlr
Q0xJNXVENVFNV0N0UEZ0aUxTSzZzeGlWYk9rMnZSaGszb1Ria0EKNHF2VFZmaCtaUFpKZnMwdDda
UEJxbmtUaU1tZDhuTUxYdXY3MXRpMWhBOFVYc3J1Z1E1MjVHRGgvNk9rMHNuMApxOUJnM1dQNVZh
Yko0R1VTUEg4MFR3bEFEWFNtVnlBS3IvSk5VK05vL01GN3QySUdiSThnNDhwaC9MUlBWUFZpCnNv
aGNsTTFmVnR6L3NJMmFhK0xweXlFZHl5OXhDKzdKRUdYdkxHSTNmSEFkY0g3enhYc1NOMHNBMVpM
anpQNEwKbmNTOGN5Ri91azVMdG85aEU1YkZJUXBHRnFUQTNpZ29aVDBlTXFSWkRBR3A0VXUzWFho
M2pZVHcxOFpobXVTNwpzdTFnRTh5VEowaWlRaVRmUFNhV2lYN0UzKzJKZjVmQXVINWM5UDNXekRQ
ZUwyQlUzeWtOVzRIYldQbmF6Tkd1Ck9PV3dqNmMwakpGc1o3K25aSFhpWUk5amRsRnVmM1NqNEhF
U0pTbTJGdGFCWVJ5bFJuTmtQRTN2MkhhVENtREYKMlRGSkFCRUJBQUhDd1hZRUdBRUtBQ0FDR3d3
V0lRUThSMlF1UjI0YkY2VnJlaEVqTlZrcUgvRzIyZ1VDWnJBaApRQUFLQ1JBak5Wa3FIL0cyMm4w
MkQvOXdMdWNQZytwMTB5RmRVaVhnb0dndlliRXJLNnU3NTVhN0NOd3NjT2llCmExVDhzbGFOSW03
ZThWTm1VVmpNcFhudVFabGpSb3UxOFVkMmxJL0J2N05LblNoZzhxalRhZkdycWRGeWdPQXgKbUpx
TGNLKzc5RW4zUlZzaFJLZTl3elRhQkErbHhtNUtOOHdLbVRaTWl2aGtZQ3VkV1FkNnRoVjd5a29p
ZVUxTgpyZTNHZ3NNVnpubFBZcEJuZWJUcEV5R3ZWZGdWalVvd293QVNGWVI2M2o5RlRDVHVGUlhy
cmFsUTRZM2JTMDBSCi92cU83YWdGaGJVWUk0MW9LTldKL0hrOFE3VW5tYTRtc3ZjNTZKcnpCbXFq
aEZMODBsWVU4anVJRXFhazA1ZzkKNHZNY3JnbjY0dkhnVjZUc1duMFl4QVZacVR1aExDQ3o2UTNO
OUFQVkFYZE5rWDBwNVZQUEI5NmkraGtEVkVWRwo2ckhIa0wvTHdtTWRxbFlKeDZhRm1VWVFVU21p
a0tGbzNWaWtaMXViNUtuaVRLNDJnNDI5ckZHMEJLaWhuZXRBCk9zU211UVJBU21sRENtUE85bzhr
Z1FReWlCcFc4RkRiSjNhWXRramE3VHJpMS9zMGl0bHdMTkhRSUxlRmdoMDQKTWRJMnE1eDJueEhT
dEdmRENraDIvWkF3U0xHZGlKK3VaMGdYMU1jRVYrc3QvTjU0alo4UU9UeW15RExyVWNJawpxT1B0
VkRacmJsVTJkSmN5VkhERktaNE8yQlJxMkhyNTN6ZEI4VEdjY3Mwc3pZYUpFS2hTcHZHUGMwVU1I
NDBiCnFIU2NDWlk1UDdsVHp2a0piRk0yWWNLQU9hczRNOG9MS054VHluU2psc083S08zbGV5Ti8y
SUQ0eGFpa3FsS2oKUGc9PQo9RHlndwotLS0tLUVORCBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0t
--b96824ee88a86d0f803df0c561ab8693dd320bd213b8e47dbee9bd453f59--

--------6af7a1a5078f7901e13b89532810a774a5de9ccca04eaa106a1843251e5c23d7
Content-Type: application/pgp-signature; name=&quot;signature.asc&quot;
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=&quot;signature.asc&quot;

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsGpBAEBCABdBYJqHINYCRAjNVkqH/G22jUUAAAAAAAcABBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3JnfOpHtwu0lqgDevpDATQ4yBYhBDxHZC5HbhsX
pWt6ESM1WSof8bbaAAA/WBAAtl7JC5kRGX7yfIupGUF07XOXw761JqUwdgFi
vQqAOgMXKGnLCO6HFxXYACnYng8Oi3YbZZUjhNan8wHI5eoLSG7QAJ9y8Nme
Ve6pGasVOb8rZY5EWZtpkbmtsDrln3oRFJPxOc56tiO26oJN9KebULsK8VQ1
xKpi1SPctS146y5Bi+bHVwKbd7aNkqN/dE2MQcln6vKmO7Sfu3mlniOXm4Pk
A7QAttyfqJpQNVv9LJqcp0wk36kp+/HZdaV896b7QgXURh3en3RATaCmgiAr
YkzsPNlJnjKeHfEZZ/eBYMXbgloToORORwfzx0Q5KrGtEJhsSM8Ox0hLjLf2
tgkIr5YPBpFjuBmyytsawaH+o1DUvoezr5T0QZQDJgNYOmYsXkI09uOZUMgb
OP1EZGJk5YVh0JCTpGeik3XmTK/C0WbRZxrg2QC7OdXLKh9aQR2Jeji3S1jH
fcroS1Mx2kVwiaD9fdSZn4sMcwC27cq4iN4EreZyMbKhhdoqx0D0IOJGyDQc
H1avDCkjQ0J9MtakJKrlMMIXsnkO1WC1wWvO/NzQcKKZMKsSBbxyq2mxo12i
tewu4SPAteXLcqHdRydFR3ItufwBtpEnp0+UeRb1tVz62GptCBYdofglQtjA
aAzmxQKgT6bp1ZGxcsRuWez2afrhIzULdhN4EAlIqzZY3r0=
=Vt6X
-----END PGP SIGNATURE-----


--------6af7a1a5078f7901e13b89532810a774a5de9ccca04eaa106a1843251e5c23d7--
]