[Pkg-netatalk-devel] Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches

Daniel Markstedt daniel at mindani.net
Fri Sep 1 23:00:14 BST 2023 

Package: netatalk
Version: 3.1.12~ds-8
Severity: critical
Tags: patch security
Justification: root security hole
X-Debbugs-Cc: pkg-netatalk-devel at alioth-lists.debian.net, Debian Security Team <team at security.debian.org>

Nine CVE security advisories were addressed in netatalk upstream
releases between 3.1.13 and 3.1.15. The full list is below:

CVE-2022-45188
CVE-2022-43634
CVE-2022-23125
CVE-2022-23124
CVE-2022-23123
CVE-2022-23122
CVE-2022-23121
CVE-2022-0194
CVE-2021-31439

Current status of patching these vulnerabilities:
- netatalk oldoldstable has already been patched by the Security Team.
- netatalk unstable has already been patched by the maintainer team.
- The netatalk package was excluded from stable, no action required.
- What remains is to patch oldstable, hence this ticket.

A debpatch has been attached to the related Release bug ticket,
where approval to proceed with an oldstable release has been requested.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325

-- System Information:
Debian Release: 11.7
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-11-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages netatalk depends on:
ii  init-system-helpers      1.60
ii  libacl1                  2.2.53-10
ii  libavahi-client3         0.8-5+deb11u2
ii  libavahi-common3         0.8-5+deb11u2
ii  libc6                    2.31-13+deb11u6
ii  libcrack2                2.9.6-3.4
ii  libcrypt1                1:4.4.18-4
ii  libdb5.3                 5.3.28+dfsg1-0.8
ii  libdbus-glib-1-2         0.110-6
ii  libevent-2.1-7           2.1.12-stable-1
ii  libgcrypt20              1.8.7-6
ii  libglib2.0-0             2.66.8-1
ii  libgssapi-krb5-2         1.18.3-6+deb11u3
ii  libkrb5-3                1.18.3-6+deb11u3
ii  libldap-2.4-2            2.4.57+dfsg-3+deb11u1
ii  libmariadb3              1:10.5.19-0+deb11u2
ii  libpam-modules           1.4.0-9+deb11u1
ii  libpam0g                 1.4.0-9+deb11u1
ii  libssl1.1                1.1.1n-0+deb11u4
ii  libtalloc2               2.3.1-2+b1
ii  libtdb1                  1.4.3-1+b1
ii  libtracker-sparql-2.0-0  2.3.6-2
ii  libwrap0                 7.6.q-31
ii  lsb-base                 11.1.0
ii  netbase                  6.3
ii  perl                     5.32.1-4+deb11u2

Versions of packages netatalk recommends:
ii  avahi-daemon      0.8-5+deb11u2
ii  cracklib-runtime  2.9.6-3.4
ii  dbus              1.12.24-0+deb11u1
ii  lsof              4.93.2+dfsg-1.1
ii  procps            2:3.3.17-5
ii  python3           3.9.2-3
ii  python3-dbus      1.2.16-5
ii  tracker           2.3.6-2

Versions of packages netatalk suggests:
pn  quota  <none>

-- no debconf information

More information about the pkg-netatalk-devel mailing list