Your message dated Fri, 06 Oct 2023 05:04:14 +0000 with message-id <e1qod0y-005rx4...@fasolo.debian.org> and subject line Bug#1053545: fixed in netatalk 3.1.18~ds-1 has caused the Debian Bug report #1053545, regarding CVE-2022-22995: netatalk afpd vulnerable to symlink spoofing to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053545: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053545 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: netatalk Version: 3.1.12~ds-3 Severity: critical Tags: security Justification: root security hole X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team <t...@security.debian.org> Under very specific circumstances, netatalk can be tricked into copying a symlink or other malicious file from the shared volume into a restricted place in the file system, potentially achieving remote code execution. All versions of netatalk from 3.1.0 to 3.1.17 are vulnerable. The CVE-2022-22995 advisory was published over a year ago, but the details of the exploit weren't disclosed at the time: https://nvd.nist.gov/vuln/detail/cve-2022-22995 It was only recently that we in the upstream team were able to get in touch with original security researchers to gain enough insights to formulate a patch and publish our own security advisory: https://netatalk.sourceforge.io/CVE-2022-22995.php
--- End Message ---
--- Begin Message ---Source: netatalk Source-Version: 3.1.18~ds-1 Done: Jonas Smedegaard <d...@jones.dk> We believe that the bug you reported is fixed in the latest version of netatalk, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1053...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jonas Smedegaard <d...@jones.dk> (supplier of updated netatalk package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 06 Oct 2023 06:40:15 +0200 Source: netatalk Binary: netatalk netatalk-dbgsym Architecture: source amd64 Version: 3.1.18~ds-1 Distribution: unstable Urgency: high Maintainer: Debian Netatalk team <pkg-netatalk-de...@lists.alioth.debian.org> Changed-By: Jonas Smedegaard <d...@jones.dk> Description: netatalk - Apple Filing Protocol service Closes: 1053545 Changes: netatalk (3.1.18~ds-1) unstable; urgency=high . [ upstream ] * new release + CVE-2022-22995: Harden create_appledesktop_folder() closes: bug#1053545 . [ Jonas Smedegaard ] * drop patch 001, obsoleted by upstream changes * set urgency=high due to security-related bugfix Checksums-Sha1: e717b859e0a9d0d412776233de54ce763891acf7 2486 netatalk_3.1.18~ds-1.dsc ca5f3df500078873128bb1df47fa8638e324412a 841336 netatalk_3.1.18~ds.orig.tar.xz e0884bd2beb731c453df77ec335aae3a99541ba5 39324 netatalk_3.1.18~ds-1.debian.tar.xz 3a84ba98ce1a45064e8c84d84fd643d778b69504 1158388 netatalk-dbgsym_3.1.18~ds-1_amd64.deb d3dd61cb463e5adfbcc5700943df0c6f3f08d1d2 11186 netatalk_3.1.18~ds-1_amd64.buildinfo 125d7b90507e1bde291a38be818afd05fae7cb41 558880 netatalk_3.1.18~ds-1_amd64.deb Checksums-Sha256: 3c3bebac4bf6ecb85f405950bf1a60ed5279fbe18676138b6c21997e03edaeaa 2486 netatalk_3.1.18~ds-1.dsc b03fb83b6b91a7e1ba28825aba36985f66200badc8636f287b8191e320382dbf 841336 netatalk_3.1.18~ds.orig.tar.xz 2abea326a933b749baf252f5cfefed73d39e0805f0d611cdaccad061103c57cc 39324 netatalk_3.1.18~ds-1.debian.tar.xz ba6cf0d73b96297f18f8c731c2816b22a25ba09ca9ebeca62ca396c3e3bad4ba 1158388 netatalk-dbgsym_3.1.18~ds-1_amd64.deb 85a28db8c7a4b5ce56fdafbf9ad8e5e30a37afb7a2aa6a2648f6c669bf8c5281 11186 netatalk_3.1.18~ds-1_amd64.buildinfo d101175113c3f69965ff408cd0cbab341c565812e6827a0f68d426e1de60004f 558880 netatalk_3.1.18~ds-1_amd64.deb Files: ae18c5fa82b94097301864db41ff815e 2486 net optional netatalk_3.1.18~ds-1.dsc c9b8136b4539ddd07469dba2ed1a6b8e 841336 net optional netatalk_3.1.18~ds.orig.tar.xz 1d596d567c5fd70a0f91d5db4a8d675e 39324 net optional netatalk_3.1.18~ds-1.debian.tar.xz 4e6e8fd900eede12aba5fdf6ee88ed66 1158388 debug optional netatalk-dbgsym_3.1.18~ds-1_amd64.deb 7a55e79f9ef74cb36e0dce97e71399df 11186 net optional netatalk_3.1.18~ds-1_amd64.buildinfo 631075515a8ca564b81f5c06e777014a 558880 net optional netatalk_3.1.18~ds-1_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmUfkYkACgkQLHwxRsGg ASGqRRAAl/YIpJQv4nldwTRYJwjZNn+vhE1/u19FFcnbb8JSBxFfOEz93IZbrMRc jmMDtOnoRGFBEwLLYhFB1YWJoqAyCzusPPz0KkyoKSvKAD24SEv0d0qbHB6t9q79 ef4aY1a1IEeo04nbuRQ+yx5PG8tYI4Hi4GIL+yFrzwHG8XI00ryDzZuyY+ySRcY1 WwR69wGmdGmuI36hCMFI3WkuvifVqhhwut6f3eCsAKFc9XMBtxJKGA8hZAp/8OGg 1o2PcHcQw1Jd0N5Of8meHo1wwgpMoupDWAue8HjnRH1DPa2+7DynfU3Dey1NrEML WYMTgDL+4f5fB0WNYB7cAwGAGADNLYy2feoPHVHorrlz1sWGF/xfugslRnFzzE2l RnbBK+yLtZAOSPCTglXStRuzr36lnBlvnKJ/MDD+9hg5Fd+WjAdRlX3huDK/2RIs u+TtY/yGFvP7nPww4OIejlnRk5X1cR61ROjS/bpVpn7lZHNk5KtJ5y+k2xW2qdKu QGQ+6z0G+UKCCX3Mjy+8MCnYnjiCKDvNPphUihgKJv0GxHL/2bmU3WkLtfJBAe5d MjAlwQvuLATad/lM6tiARnMJsR4HYgsDXlI4XMUGJw5Mjphn+fjQQuyvSjRnLabk +fVgjSEDNQ1LayMkO4dUEj48qbmk8YnOtajaduKuy82oD50BgFY= =saRz -----END PGP SIGNATURE-----
--- End Message ---
