[Pkg-netatalk-devel] Critical patch after applying CVE fixes
Jonas Smedegaard
jonas at jones.dk
Wed May 17 05:42:51 BST 2023
Quoting Daniel Markstedt (2023-05-17 00:20:31)
> I saw that the LTS team pulled in all the recent CVEs with
> 3.1.12~ds-3+deb10u1 into oldstable earlier today.
>
> One of those CVE fixes introduced a critical regression that causes
> instant segfaults in afpd.
> We need to apply the commits (at least 3/4) from this PR:
> https://github.com/Netatalk/netatalk/pull/174/commits
>
> The author is Markus Koschany <apo at debian.org> but I don't know if
> it's acceptable to reach out to the security team about things like
> this?
>
> The CVE fixes don't seem to be in
> https://sources.debian.org/src/netatalk/3.1.12~ds-3/ yet so I can't
> say for sure whether Markus applied the regression fix already or
> not...
>
> What's the best course of action here? It would suck if Buster users
> upgraded their packages and netatalk started crashing on them. ;)
Please file a bugreport against netatalk, with the special header
X-Debbugs-Cc (which you also get when interactively using debbugs) to cc
the security team using their official address (uhm, on my way to school
and don't have it at hand, tell me if not easy to locate yourself).
Thanks!
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
* Sponsorship: https://ko-fi.com/drjones
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-netatalk-devel/attachments/20230517/311545cd/attachment.sig>
More information about the pkg-netatalk-devel
mailing list