2995. Harden create_appledesktop_folder.
+closes: bug#1060773
+
+ -- Daniel Markstedt Sat, 10 Feb 2024 23:49:31 +
+
netatalk (3.1.12~ds-8+deb11u1) bullseye-security; urgency=high
* Fix CVE-2021-31439, CVE-2022-0194, CVE-2022-23121, CVE-2022-23122,
diff -Nru netatalk-3.1.12~ds/debian
please let me know how to take
this to the next stage in the packaging evaluation process!
Sincerely,
Daniel Markstedt
Control: tags -1 - moreinfo
On Wednesday, February 7th, 2024 at 3:06 AM, Jonathan Wiltshire
wrote:
>
>
> Hi,
>
> On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote:
>
> > 2024年1月16日 (火) 02:53, Adam D. Barratt
> > <[a...@adam-barratt.org.uk](
2024年2月7日 (水) 03:06, Jonathan Wiltshire <[j...@debian.org](mailto:2024年2月7日 (水)
03:06, Jonathan Wiltshire < 送信:
> Hi,
>
> On Tue, Jan 16, 2024 at 08:30:52AM +, Daniel Markstedt wrote:
>> 2024年1月16日 (火) 02:53, Adam D. Barratt
>> <[a...@adam-barratt.org.uk](mailt
2024年1月16日 (火) 02:53, Adam D. Barratt
<[a...@adam-barratt.org.uk](mailto:2024年1月16日 (火) 02:53, Adam D. Barratt < 送信:
> Control: tags -1 + moreinfo
>
> On Sun, 2024-01-14 at 06:23 +, Daniel Markstedt wrote:
>> CVE-2022-22995
>> Ref. advisory: https://netatalk.source
This is the relevant bug ticket for the netatalk package:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060773
I prepared a deb patch and filed this upload request with the release team:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774
The attached patch can be applied to Debian oldstable to address the
vulnerability.
I'm proposing an oldstable out-of-release-cycle upload: 3.1.12~ds-8+deb11u2
Sincerely,
Daniel MarkstedtFrom 3bf8b9032afcdbb5547abf420697a78c9d9b35a5 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt
Date: Sun, 14 Jan 2024
Package: netatalk
Version: 3.1.12~ds-8+deb11u1
Severity: normal
Tags: security
X-Debbugs-Cc: t...@security.debian.org,
pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team
This is for tracking the fix for security vulnerability CVE-2022-22995
in Debian Oldstable (Bullseye)
would fail to pull those in.
>
> Kind regards,
> Matijs van Zuijlen
>
> On 01/12/2023 00:42, Daniel Markstedt wrote:
>
> > Hi Matijs,
> >
> > This is not something we can address in the netatalk package itself, since
> > you're using an Unstable ne
Hi Matijs,
This is not something we can address in the netatalk package itself, since
you're using an Unstable netatalk package with a Stable Debian version.
(Netatalk was dropped from Debian 12 Bookworm.)
See this upstream discussion for more details:
Package: netatalk
Version: 3.1.12~ds-3
Severity: critical
Tags: security
Justification: root security hole
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team
Under very specific circumstances, netatalk can be tricked into copying a
symlink or other malicious file
A new 0-day vulnerability CVE-2023-42464 has been published and patched with
upstream Netatalk 3.1.17
The large CVE patch batch for oldstable has been updated and a new version
attached here.
Thank you!
Daniel
netatalk-3.1.12~ds-8+deb11u1-2.patch
Description: Binary data
Please note: The vulnerability also affects 3.1.12~ds-8 in oldstable, and
3.1.15~ds-3 in unstable.
stable isn't distributing a netatalk package.
Package: netatalk
Version: 3.1.12~ds-3
Severity: critical
Tags: security
Justification: root security hole
A 0-day vulnerability patch has been published for the upstream project.
The CVE record has not been made public yet, but this is the body of the
advisory for the record:
A Type Confusion
--- Original Message ---
On Saturday, September 2nd, 2023 at 1:33 AM, Jonas Smedegaard
wrote:
>
> This is one bugreport about multiple issues. That easily gets confusing
> to track, e.g. if some of the issues are solved and some are not, for a
> certain release of the package (and
--- Original Message ---
On Saturday, September 2nd, 2023 at 12:18 PM, David Gilman
wrote:
>
>
> Package: netatalk
> Version: 3.1.15~ds-2
> Severity: important
> X-Debbugs-Cc: davidgilm...@gmail.com
>
> Dear Maintainer,
>
> After the update from 3.1.15~ds-1 to 3.1.15~ds-2 any attempt
To add the justification for the critical severity of this ticket:
At least 6 of the 9 vulnerabilities grant theoretical root access of a Debian
system running non-patched netatalk.
CVE-2022-43634, CVE-2022-23124, CVE-2022-23123, CVE-2022-23122, CVE-2022-23121,
CVE-2022-0194
Package: netatalk
Version: 3.1.12~ds-8
Severity: critical
Tags: patch security
Justification: root security hole
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team
Nine CVE security advisories were addressed in netatalk upstream
releases between 3.1.13 and 3.1.15.
Control: severity -1 important
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net
Dear Debian Release Team,
Please allow me to raise the severity for this ticket.
The patches address 9 public CVE advisories, and I think it would be beneficial
to Bullseye users to have a patched package.
> -- Forwarded message --
> From: Markus Koschany
> To: Daniel Markstedt
> Cc: 1043504-d...@bugs.debian.org
> Bcc:
> Date: Sun, 13 Aug 2023 23:44:58 +0200
> Subject: Re: Bug#1043504: Another regression fix for CVE-2022-23123
> Version: 3.1.12~ds-3+deb
For the record, I have filed a request with the Release Team now to
get the green light to upload Bullseye packages. See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325
oldstable up to date with security
patches.
Is this enough to make a case for uploading an update to oldstable?
Sincerely,
Daniel Markstedt
netatalk-3.1.12~ds-8+deb11u1.patch
Description: Binary data
My apologies, the previous patch had a fatal typo that I noticed when
running debuild.
This "-2" version should work properly.
On Sat, Aug 12, 2023 at 10:58 PM Daniel Markstedt wrote:
>
> Here is a patch with the upstream code change, for the 3.1.12~ds3 patchset.
> I follo
Here is a patch with the upstream code change, for the 3.1.12~ds3 patchset.
I followed the maintainers' documentation and used quilt, so hopefully
it should be compliant!
Please let me know if there's anything I should be doing differently here.
Thanks!
Daniel
CVE-2022-23123_part6.patch
Package: netatalk
Version: 3.1.12~ds-3+deb10u2
X-Debbugs-Cc: t...@security.debian.org,debian-...@lists.debian.org
Dear Debian Security team,
Would you be able to help me get the following critical regression fix
into the Buster netatalk package?
The regression was introduced with the patch for
On Sat, Jul 1, 2023 at 3:27 PM Richard van den Berg wrote:
>
> Package: netatalk
> Version: 3.1.12~ds-8
> Severity: normal
> Tags: patch
>
> I am using netatalk for time machine backups. After every session I see this
> line in /var/log/auth.log
>
> 2023-07-01T22:31:47.223949+02:00 my-server
Package: netatalk
Version: 3.1.15~ds-1
X-Debbugs-Cc: pkg-netatalk-de...@lists.alioth.debian.org
This bug is to record that the fix for CVE-2022-45188 has already been
included with netatalk 3.1.15~ds-1.
It is still flagged as unresolved for bookworm, which is not correct.
See
On Sat, Jun 3, 2023 at 11:07 PM Jonas Smedegaard wrote:
>
> Quoting Salvatore Bonaccorso (2023-06-04 07:39:12)
> > Hi Daniel,
> >
> > On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote:
> > > > -- Forwarded message --
> > >
On Wed, May 24, 2023 at 7:18 AM Moritz Mühlenhoff wrote:
> [...]
> It's nice that there's renewed interest, but this involves also taking
> care of netatalk in stable, there's a range of issues (full list at
> https://security-tracker.debian.org/tracker/source-package/netatalk)
> which need to be
> -- Forwarded message --
> From: Markus Koschany
> To: Daniel Markstedt , 1036740-d...@bugs.debian.org
> Cc: debian-...@lists.debian.org
> Bcc:
> Date: Thu, 01 Jun 2023 19:54:55 +0200
> Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault w
On Fri, May 26, 2023 at 1:15 PM Markus Koschany wrote:
>
> Could you tell me which exact commands were used, so that I can try to
> reproduce the problem?
>
Do by any chance have access to a Mac of any vintage?
It could be a brand new machine running the latest macOS or a classic
Mac from the
On Thu, May 25, 2023 at 3:39 AM Markus Koschany wrote:
>
> Hello Daniel,
>
> Am Donnerstag, dem 25.05.2023 um 08:02 +0200 schrieb Salvatore Bonaccorso:
> > >
> > > These two commits in upstream addressed this:
> > >
Package: netatalk
Version: 3.1.12~ds-3+deb10u1
X-Debbugs-Cc: t...@security.debian.org
The code that addressed CVE-2022-23123 introduced appledouble metadata
validity assertions that were too strict and caused instant segfaults
with valid metadata for a large number of users.
These two commits in
Package: wnpp
Severity: wishlist
Owner: Daniel Markstedt
X-Debbugs-Cc: debian-de...@lists.debian.org, markst...@gmail.com
* Package name: netatalk2
Version : 2.2.8
Upstream Author : The Netatalk Team
* URL : https://netatalk.sourceforge.io
* License : GPL 2.0
35 matches
Mail list logo
