Your message dated Wed, 20 Sep 2023 14:29:59 +0000 with message-id <zl44ksd_7A7i_QNNTEbiBB7hFeeRUtFFavfV-Xy5eQJd4qTIkOhV4RKVxVAuG5I26MGSS_STmKysCncjf5Ov7-wW4A5yc1EwVkqfZkxK-lA=@mindani.net> and subject line Will be in upcoming security release has caused the Debian Bug report #1049325, regarding bullseye-pu: netatalk/3.1.12~ds-8+deb11u1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1049325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: jo...@jones.dk This is a batch of patches that resolves a number of CVE vulnerabilities for netatalk, plus a number of regressions that were subsequently fixed in upstream (indicated by part/regression patches). They originate in upstream releases between 3.1.13 through 3.1.15. With the exception of the very last regression fix (CVE-2022-23123_part6.patch) they are all in the unstable netatalk package. CVE-2022-45188 CVE-2022-43634 CVE-2022-23125 CVE-2022-23124 CVE-2022-23123 CVE-2022-23122 CVE-2022-23121 CVE-2022-0194 CVE-2021-31439 For complete transparency: Please note that the patch for CVE-2022-23123 also fixes CVE-2022-23122, CVE-2022-23124, CVE-2022-0194, which is why the latter three don't have separate patches. The Security Team has already applied this exact patchset on buster-security (3.1.12~ds-3+deb10u3), and instructed me to file this release request against oldstable. We have an active userbase that leverages netatalk for file sharing with fleets of legacy Mac clients in production environments, so I consider it prudent to keep oldstable up to date with security patches. Is this enough to make a case for uploading an update to oldstable? Sincerely, Daniel Markstedtnetatalk-3.1.12~ds-8+deb11u1.patch
Description: Binary data
--- End Message ---
--- Begin Message ---Closing this since the Security Team is preparing to make a security release for Bullseye with CVE-2023-42464 and the other patches.
--- End Message ---