[From nobody Mon Jun  1 21:27:08 2026
Received: (at submit) by bugs.debian.org; 31 May 2026 18:21:34 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-20.0 required=4.0 tests=BAYES_00,
 BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
 DKIM_VALID_EF,HAS_PACKAGE,PGPSIGNATURE,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS,
 SPF_PASS autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 13; hammy, 99; neutral, 18; spammy, 1.
 spammytokens:0.941-+--H*r:bugs.debian.org
 hammytokens:0.000-+--H*ct:pgp-sha256, 0.000-+--XDebbugsCc,
 0.000-+--X-Debbugs-Cc, 0.000-+--H*ct:application,
 0.000-+--H*ct:protocol
Return-path: &lt;daniel@mindani.net&gt;
Received: from mail-244120.protonmail.ch ([109.224.244.120]:56413)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;daniel@mindani.net&gt;) id 1wTkmv-005Ftv-2C
 for submit@bugs.debian.org; Sun, 31 May 2026 18:21:34 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mindani.net;
 s=protonmail3; t=1780251684; x=1780510884;
 bh=1N2ykg3UsY/pa+8jw2UEFZr0kdsNo6+vmBG+NT7P0k0=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=RipkuFzYxp6XfahFzYa1vK1d5/v+VqX1pw/Ay32vT0HnYa0AL/V24pvAnLLGwpvSz
 s9RnHy6T0jc5qj/C6tm0S+AFeyGSX3ct0d7/NAj8oVSYOKUvdAxcEHrfLBmStd7+KG
 1ccdjOTOfnM+zBH+iAZGH5UTvDwQX63Pg2jnJwgsOKHrD5SUbjaFHpeYPZubGx8h2H
 6iAA0AsHPGRn7//sDKPcttN7KfF7IRDhpTQZECku8MTPGIaNn9SfQlp2oGrMZvWYx8
 4xv5ZmNZ5X5xr+xERzwg1o6qoDCobOTIAcsNmF3Eu/eeKQTZ7Zlvuy3cdgn6CY8QFc
 ekwXSrAMqRQ0Q==
Date: Sun, 31 May 2026 18:21:20 +0000
To: submit@bugs.debian.org
From: Daniel Markstedt &lt;daniel@mindani.net&gt;
Subject: CVE-2026-49387: Heap out-of-bounds reads in Spotlight RPC element
 counts
Message-ID: &lt;5a80595a-bcf9-49af-af62-c9b3009e5e94@mindani.net&gt;
Feedback-ID: 84350481:user:proton
X-Pm-Message-ID: a98b7c5c842e0ec2a9e1b0f86a9079627a54a9ed
MIME-Version: 1.0
Content-Type: multipart/signed; protocol=&quot;application/pgp-signature&quot;;
 micalg=pgp-sha256;
 boundary=&quot;------dfa1941c02885d293e40d1d6a989dde03465a051270c06f64a8cc38bd31bb4ea&quot;;
 charset=utf-8
Delivered-To: submit@bugs.debian.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------dfa1941c02885d293e40d1d6a989dde03465a051270c06f64a8cc38bd31bb4ea
Content-Type: multipart/mixed;
 boundary=a3a2061dfefe33fc6157510b83c4832c38b3f8edbe514a2818d4f2574b61
Message-ID: &lt;5a80595a-bcf9-49af-af62-c9b3009e5e94@mindani.net&gt;
Date: Sun, 31 May 2026 20:21:17 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: submit@bugs.debian.org
From: Daniel Markstedt &lt;daniel@mindani.net&gt;
Subject: CVE-2026-49387: Heap out-of-bounds reads in Spotlight RPC element
 counts

--a3a2061dfefe33fc6157510b83c4832c38b3f8edbe514a2818d4f2574b61
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Package: netatalk
Version: 4.4.3~ds-1
Severity: critical
Tags: security
X-Debbugs-Cc: 
team@security.debian.org,pkg-netatalk-devel@lists.alioth.debian.org

will be resolved by upgrading to upstream v4.5.0


--a3a2061dfefe33fc6157510b83c4832c38b3f8edbe514a2818d4f2574b61
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=&quot;publickey - Daniel Markstedt -
 0x3C47642E.asc&quot;; name=&quot;publickey - Daniel Markstedt - 0x3C47642E.asc&quot;
Content-Type: application/pgp-keys; filename=&quot;publickey - Daniel Markstedt -
 0x3C47642E.asc&quot;; name=&quot;publickey - Daniel Markstedt - 0x3C47642E.asc&quot;

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCkNvbW1lbnQ6IGh0dHBzOi8vZ29w
ZW5wZ3Aub3JnClZlcnNpb246IEdvcGVuUEdQIDIuOS4wCgp4c0ZOQkdUeVVBZ0JFQURDRUY2ZHBE
a3VVaGlhd21mbXVxN0tMdmhrelozM1ZPSEMwbW9LaU1ON3lpUTZpdHVBCm5mblNLUWZTVkdYTjUv
TTd5ZTQvNDIvc3dKeWRxQlNGOHMrV1k4bHpIZ0VmZk1hK2NnRitkVS9BS2M4ZlVOMDYKNWFTMlJI
Y1h4QXBBUFp3a0c5OFdmRnBFMjVhbFNLNm1EYk82T2dCRk8zME5USmpVQlNjOHhvV25Ganh2ZC9K
TQp5MDVXNVJmYk56eHgzaGxYaWI5NHNnK3JzWEdVaGt5bjdxR1k4Z0paT3YydXYzaTJzYUwwdGl1
Tk5UZXFGZXJ3CjRnN05CSzhtSzArNkNWcG01Snh4L005MGRsQmQvaGRteVRBWUhGcjlTREh0a2ZR
bUQxVktKUjJCTHU5aGZzcnAKWGlUUDdmekQ1N0JFUzZ2VjREbTZkczg0SXJBTWdPeG5SSUhoaTFt
WDY4YmdYaERQY1YzYkh4dUtabjAzelYydwplYnFzaWZuOXU2elRGQnc0SmxlY2lUSHBSYTd1anh3
cy9NbzM3eWI0Smp0M1lKZ3lkTXNrQSs4RkdnT2xxWGlVCmEwdDhrWUdIQVRTTDhJWTNFVTFJTnVx
dlFYbWo0V0VLK3owNVdpang3SEVYV1lXRWtEaUZCRDVGWG9ZY0w0dkMKUlNyczR0SDl4dmV2VERa
MXdLV0RxUW1oeW94NjRXSnVxR2RVSlFIY1BUMDZKWTZqb0U0eUU3U2N0MklmMGhldQptVk5vTDh5
eVNRUFFwL0N5cU9NOHp0UG0wYnZ4c3ZGOGIzTG16YUZiOTNPRG9iN3pTMHZzbkd0eWpvOC9KbS9v
Clhmb3pDNG5IZ3ZqV09NRUd6VHBMOVVGREFKMlJGdU41RTlzYXpIZkYveDE3Y1JxWm1aNi96THVh
YVFBUkFRQUIKelNWRVlXNXBaV3dnVFdGeWEzTjBaV1IwSUR4a1lXNXBaV3hBYldsdVpHRnVhUzV1
WlhRK3dzR09CQk1CQ2dBNApBaHNEQlFzSkNBY0NCaFVLQ1FnTEFnUVdBZ01CQWg0QkFoZUFGaUVF
UEVka0xrZHVHeGVsYTNvUkl6VlpLaC94CnR0b0ZBbWF3SUxRQUNna1FJelZaS2gveHR0bzQ3dy8v
U3pIQnN4NkFaUjJnMlVwWnFheWNFOEYrSHg5b3lidHoKZTROWEt4endUUFV4RHpYQWlwUVJzMGxS
UGl4ekJQVDZ3TTlOU3hDaUhBMnIwWG9qZFVzaU9YNzFyUVRHOERucAp2SnFxbWxKekc3WXdCakpV
YVpCOHgyQ1pyNXhPUzNCNTYweW5ZN3FpZnNEMzlNR21qZnNlNXhUaWhhTmlPNGMxCnVOaFl4eFUx
RFNLSkZYTGFLNlZNdW1jK0xCbDhuQStsdllTaVJ3UGsybC9DeDdtV2NmTWdHTk9BQ3RCa2J6Z1YK
d01kUC9xUHBCRXZzK2lFa3I1SmZWSTZrK0gzb05mZ3VjS3krRTVRYWg4SHM0RlBhODZTcEF0WXZz
cEhheDRvMwpacnZRVHJ5MFJob1duQWVJM3lVSWlTVzdGbWhmcWZ4ZVMveER2Z1pDYWN6SklUVktl
YUF6K3ZtdndEenpUcHgvCkk4RnJxSTJUejB1eFRVeVNFMkZlN1B2UWpRMHlSU0xoYzFFL3c5aTh0
OXlFTnZUckQ0akZreHVHeFNjUmtxNHQKbExyUlZWRFBYQi9CYlhGakh0OG5QaFg5R2RINGdVTWZv
cTZjVDV4ZVo2Nk1YNVJQanpaTzFRSDl1T3d5YUNObQo2V043RlRMam1aajVwcEl4TXdDeUtGdFJ5
SWdFSTdXRUN5OHRvVlJYMUJKVGx3alZFMlN5WFpkYkhZMGNrdks3CnB3YWM1ejE2MWFadHorVFBj
dWRMc1BybFdIbnhWNmxkbDNTbjk4a1dPTjlWdFV3cXhmdlhpaGhEU2JjMGlqS2sKY0g5clBjdXVM
NnFFR1pYb0xnM1N6bGl4RzZhZDNFenJmcG1kb0lwVmQwdUdnUGZaTWlKQStSTnFGVDBQWFZPOApE
ZERCNWlDZnVZbk93VTBFWlBKUUNBRVFBTVN6aXptTWRsMEt5M0tUMkpuK1VQRG5XK3lKYnpwR2sv
UlNqZW0xCnJFc2dJQW9WQzltdktRQ204eVBWcm1LNTVQbGhnNE5BeUxneTNNVng1Z2s1RUdTbkkr
RTZoZmMyZXhpeG1mR08KaUl6RkhPakc0TXZtWXp3OHRyWjZNQ2Q2VmtQZWtHVml5K2o4RkhVTmNK
MkEyOEhETk9ZSXo2cGJhNTZSZE41Wgo1WkJCalBrTmtDOXUwV1UyQnBjZVdVaXpTUEkxVkxkRlhR
a3lOWDRJTm9sVEJvVTFqOG1FaWJpYWdsUzJrbEVJCkpXeWNqbGVmWllDYW03OXBOa1JuM0xudXlr
Q0xJNXVENVFNV0N0UEZ0aUxTSzZzeGlWYk9rMnZSaGszb1Ria0EKNHF2VFZmaCtaUFpKZnMwdDda
UEJxbmtUaU1tZDhuTUxYdXY3MXRpMWhBOFVYc3J1Z1E1MjVHRGgvNk9rMHNuMApxOUJnM1dQNVZh
Yko0R1VTUEg4MFR3bEFEWFNtVnlBS3IvSk5VK05vL01GN3QySUdiSThnNDhwaC9MUlBWUFZpCnNv
aGNsTTFmVnR6L3NJMmFhK0xweXlFZHl5OXhDKzdKRUdYdkxHSTNmSEFkY0g3enhYc1NOMHNBMVpM
anpQNEwKbmNTOGN5Ri91azVMdG85aEU1YkZJUXBHRnFUQTNpZ29aVDBlTXFSWkRBR3A0VXUzWFho
M2pZVHcxOFpobXVTNwpzdTFnRTh5VEowaWlRaVRmUFNhV2lYN0UzKzJKZjVmQXVINWM5UDNXekRQ
ZUwyQlUzeWtOVzRIYldQbmF6Tkd1Ck9PV3dqNmMwakpGc1o3K25aSFhpWUk5amRsRnVmM1NqNEhF
U0pTbTJGdGFCWVJ5bFJuTmtQRTN2MkhhVENtREYKMlRGSkFCRUJBQUhDd1hZRUdBRUtBQ0FDR3d3
V0lRUThSMlF1UjI0YkY2VnJlaEVqTlZrcUgvRzIyZ1VDWnJBaApRQUFLQ1JBak5Wa3FIL0cyMm4w
MkQvOXdMdWNQZytwMTB5RmRVaVhnb0dndlliRXJLNnU3NTVhN0NOd3NjT2llCmExVDhzbGFOSW03
ZThWTm1VVmpNcFhudVFabGpSb3UxOFVkMmxJL0J2N05LblNoZzhxalRhZkdycWRGeWdPQXgKbUpx
TGNLKzc5RW4zUlZzaFJLZTl3elRhQkErbHhtNUtOOHdLbVRaTWl2aGtZQ3VkV1FkNnRoVjd5a29p
ZVUxTgpyZTNHZ3NNVnpubFBZcEJuZWJUcEV5R3ZWZGdWalVvd293QVNGWVI2M2o5RlRDVHVGUlhy
cmFsUTRZM2JTMDBSCi92cU83YWdGaGJVWUk0MW9LTldKL0hrOFE3VW5tYTRtc3ZjNTZKcnpCbXFq
aEZMODBsWVU4anVJRXFhazA1ZzkKNHZNY3JnbjY0dkhnVjZUc1duMFl4QVZacVR1aExDQ3o2UTNO
OUFQVkFYZE5rWDBwNVZQUEI5NmkraGtEVkVWRwo2ckhIa0wvTHdtTWRxbFlKeDZhRm1VWVFVU21p
a0tGbzNWaWtaMXViNUtuaVRLNDJnNDI5ckZHMEJLaWhuZXRBCk9zU211UVJBU21sRENtUE85bzhr
Z1FReWlCcFc4RkRiSjNhWXRramE3VHJpMS9zMGl0bHdMTkhRSUxlRmdoMDQKTWRJMnE1eDJueEhT
dEdmRENraDIvWkF3U0xHZGlKK3VaMGdYMU1jRVYrc3QvTjU0alo4UU9UeW15RExyVWNJawpxT1B0
VkRacmJsVTJkSmN5VkhERktaNE8yQlJxMkhyNTN6ZEI4VEdjY3Mwc3pZYUpFS2hTcHZHUGMwVU1I
NDBiCnFIU2NDWlk1UDdsVHp2a0piRk0yWWNLQU9hczRNOG9MS054VHluU2psc083S08zbGV5Ti8y
SUQ0eGFpa3FsS2oKUGc9PQo9RHlndwotLS0tLUVORCBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0t
--a3a2061dfefe33fc6157510b83c4832c38b3f8edbe514a2818d4f2574b61--

--------dfa1941c02885d293e40d1d6a989dde03465a051270c06f64a8cc38bd31bb4ea
Content-Type: application/pgp-signature; name=&quot;signature.asc&quot;
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename=&quot;signature.asc&quot;

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsGpBAEBCABdBYJqHHwfCRAjNVkqH/G22jUUAAAAAAAcABBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3JnQoxTXLfnHYGR4FxHH4gUvxYhBDxHZC5HbhsX
pWt6ESM1WSof8bbaAADJkRAAo3jLtm78fCYaLvSfcgpLeTgJ5Yxm13hfszyQ
VnVY4S3iEsi2wkd6QFZS2iGtK3fGLBD6ZfhkaktmH6JBiAlizOeH6b2/qXmV
YjSCQ1pM7mMmXnMy5Sx5Bl7AvaDMzD2KdJsAqrzY1zEC2/HX35VmvdHGvU2k
y7Z1uZSmLvQHhstpz/FW+4Ci8azIq+NnkaUbPPKtrx717uPGRwBlYGHcay+2
ONl9USbbN+A7IhqoREmDURBObARzvhq61p5KNQaJuHoETkPhoUN4rFFIIqoE
Iwm8XjqLWpsR4uezo0uW/KrPEFRqzi+mI9vfTDRJp5TzYz8cVEsqOqNskWJ3
HKqdgKydrW4OXEESrf1zUv+3ecs4uWsNbEOVoUwKfrzDYLS1Z2eTJ/CwZxgG
Kse3bS3XmXyacf0nXLjKl5nNFtCFgv25TnE94dlfG8BxR424c5LYVuXwWntC
3NfT3wGE3s21H2uhTCJUdljXcjL8kUiO36OMPA3PlDkFTYQtl2HOmuizpH5n
Rv2xcsHY321JEDi9B3m8VgkuUWmqGEye5HD7o9DSeo1lRcQ9ixTf3xFDscvx
bacSoN8lFUWcGpnNWjVIZTUOl1Ynsc0viakMuX3HW2Szf882gkflMV710JK2
RrkYg7pHFW+1r/oNV7MoW8jqhD/wMijt7dam6iIGQG927rE=
=muvI
-----END PGP SIGNATURE-----


--------dfa1941c02885d293e40d1d6a989dde03465a051270c06f64a8cc38bd31bb4ea--
]