[Pkg-netatalk-devel] Bug#1051066: Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches

Jonas Smedegaard jonas at jones.dk
Sat Sep 2 09:33:42 BST 2023


Quoting Daniel Markstedt (2023-09-02 00:00:14)
> Package: netatalk
> Version: 3.1.12~ds-8
> Severity: critical
> Tags: patch security
> Justification: root security hole
> X-Debbugs-Cc: pkg-netatalk-devel at alioth-lists.debian.net, Debian Security Team <team at security.debian.org>
> 
> Nine CVE security advisories were addressed in netatalk upstream
> releases between 3.1.13 and 3.1.15. The full list is below:
> 
> CVE-2022-45188
> CVE-2022-43634
> CVE-2022-23125
> CVE-2022-23124
> CVE-2022-23123
> CVE-2022-23122
> CVE-2022-23121
> CVE-2022-0194
> CVE-2021-31439
> 
> Current status of patching these vulnerabilities:
> - netatalk oldoldstable has already been patched by the Security Team.
> - netatalk unstable has already been patched by the maintainer team.
> - The netatalk package was excluded from stable, no action required.
> - What remains is to patch oldstable, hence this ticket.
> 
> A debpatch has been attached to the related Release bug ticket,
> where approval to proceed with an oldstable release has been requested.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325

This is one bugreport about multiple issues.  That easily gets confusing
to track, e.g. if some of the issues are solved and some are not, for a
certain release of the package (and consequently a Debian release where
that package release is included).

It is generally easier to track when instead filing one bugreport per
issue.

I tried lookup one of above CVEs inn the Debian security tracker:
https://security-tracker.debian.org/tracker/CVE-2022-43634

It references an already filed bugreport about that issue, bug#1034170,
which is tagged as found only as early as 3.1.14~ds-1.  If earlier
Debian package releases are also affected by that particular issue, then
please update that bugreport to reflect that fact.

This bugreport is flagged as "archived" (which is done automatically
after being done for a while, to reduce spam). Before doing other
changes you therefore need to first unachive it.

E.g. something like this:

  bts unarchive 1034170 . found 1034170 3.1.13~ds-1

The other CVEs seemingly have no related bugreport (from a quick look at
the security tracker - but I suspect that database does not list
bugreports not involving the security team at first, and only later
mentioning a CVE if at all).  If you don't happen to be aware of
bugreports exisisting for those other issues, then I suggest to file new
individual bugreports for each issue (also because it is easy to merge
issues later as needed).


Kind regards, and thanks a lot for looking into this,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/
 * Sponsorship: https://ko-fi.com/drjones

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-netatalk-devel/attachments/20230902/154c9bf7/attachment.sig>


More information about the pkg-netatalk-devel mailing list