Bug#1049325: marked as done (bullseye-pu: netatalk/3.1.12~ds-8+deb11u1)

Wed, 20 Sep 2023 07:33:33 -0700 

Your message dated Wed, 20 Sep 2023 14:29:59 +0000
with message-id 
<zl44ksd_7A7i_QNNTEbiBB7hFeeRUtFFavfV-Xy5eQJd4qTIkOhV4RKVxVAuG5I26MGSS_STmKysCncjf5Ov7-wW4A5yc1EwVkqfZkxK-lA=@mindani.net>
and subject line Will be in upcoming security release
has caused the Debian Bug report #1049325,
regarding bullseye-pu: netatalk/3.1.12~ds-8+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1049325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jo...@jones.dk

This is a batch of patches that resolves a number of CVE
vulnerabilities for netatalk, plus a number of regressions that were
subsequently fixed in upstream (indicated by part/regression patches).

They originate in upstream releases between 3.1.13 through 3.1.15.
With the exception of the very last regression fix
(CVE-2022-23123_part6.patch) they are all in the unstable netatalk
package.

CVE-2022-45188
CVE-2022-43634
CVE-2022-23125
CVE-2022-23124
CVE-2022-23123
CVE-2022-23122
CVE-2022-23121
CVE-2022-0194
CVE-2021-31439

For complete transparency: Please note that the patch for
CVE-2022-23123 also fixes CVE-2022-23122, CVE-2022-23124,
CVE-2022-0194, which is why the latter three don't have separate
patches.

The Security Team has already applied this exact patchset on
buster-security (3.1.12~ds-3+deb10u3), and instructed me to file this
release request against oldstable.

We have an active userbase that leverages netatalk for file sharing
with fleets of legacy Mac clients in production environments, so I
consider it prudent to keep oldstable up to date with security
patches.

Is this enough to make a case for uploading an update to oldstable?

Sincerely,
Daniel Markstedt

Attachment: netatalk-3.1.12~ds-8+deb11u1.patch
Description: Binary data


--- End Message ---
--- Begin Message --- 
Closing this since the Security Team is preparing to make a security release 
for Bullseye with CVE-2023-42464 and the other patches.

--- End Message ---

Reply via email to