[Pkg-netatalk-devel] Critical patch after applying CVE fixes

Daniel Markstedt markstedt at gmail.com
Wed May 24 17:25:47 BST 2023


Jonas,

My apologies, I've been dealing with unemployment lately so I was
caught up in being a full time job seeker.
Right now I've hit something of a dry spell so I'll have time to
follow up on this later today I think.

Cheers!
Daniel

On Tue, May 16, 2023 at 9:42 PM Jonas Smedegaard <jonas at jones.dk> wrote:
>
> Quoting Daniel Markstedt (2023-05-17 00:20:31)
> > I saw that the LTS team pulled in all the recent CVEs with
> > 3.1.12~ds-3+deb10u1 into oldstable earlier today.
> >
> > One of those CVE fixes introduced a critical regression that causes
> > instant segfaults in afpd.
> > We need to apply the commits (at least 3/4) from this PR:
> > https://github.com/Netatalk/netatalk/pull/174/commits
> >
> > The author is Markus Koschany <apo at debian.org> but I don't know if
> > it's acceptable to reach out to the security team about things like
> > this?
> >
> > The CVE fixes don't seem to be in
> > https://sources.debian.org/src/netatalk/3.1.12~ds-3/ yet so I can't
> > say for sure whether Markus applied the regression fix already or
> > not...
> >
> > What's the best course of action here? It would suck if Buster users
> > upgraded their packages and netatalk started crashing on them. ;)
>
> Please file a bugreport against netatalk, with the special header
> X-Debbugs-Cc (which you also get when interactively using debbugs) to cc
> the security team using their official address (uhm, on my way to school
> and don't have it at hand, tell me if not easy to locate yourself).
>
> Thanks!
>
>  - Jonas
>
> --
>  * Jonas Smedegaard - idealist & Internet-arkitekt
>  * Tlf.: +45 40843136  Website: http://dr.jones.dk/
>  * Sponsorship: https://ko-fi.com/drjones
>
>  [x] quote me freely  [ ] ask before reusing  [ ] keep private



More information about the pkg-netatalk-devel mailing list