Bug#1060773: Filed an upload request to release team

I prepared a deb patch and filed this upload request with the release team: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774

Bug#1053545: CVE-2022-22995: netatalk afpd vulnerable to symlink spoofing

Package: netatalk Version: 3.1.12~ds-3 Severity: critical Tags: security Justification: root security hole X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team Under very specific circumstances, netatalk can be tricked into copying a symlink or other malicious file

Bug#1052087: Versions affected

Please note: The vulnerability also affects 3.1.12~ds-8 in oldstable, and 3.1.15~ds-3 in unstable. stable isn't distributing a netatalk package.

Bug#1052087: CVE-2023-42464: 0-day vulnerability in afpd Spotlight RPC

Package: netatalk Version: 3.1.12~ds-3 Severity: critical Tags: security Justification: root security hole A 0-day vulnerability patch has been published for the upstream project. The CVE record has not been made public yet, but this is the body of the advisory for the record: A Type Confusion

Bug#1051066: [Pkg-netatalk-devel] Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches

--- Original Message --- On Saturday, September 2nd, 2023 at 1:33 AM, Jonas Smedegaard wrote: > > This is one bugreport about multiple issues. That easily gets confusing > to track, e.g. if some of the issues are solved and some are not, for a > certain release of the package (and

Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches

To add the justification for the critical severity of this ticket: At least 6 of the 9 vulnerabilities grant theoretical root access of a Debian system running non-patched netatalk. CVE-2022-43634, CVE-2022-23124, CVE-2022-23123, CVE-2022-23122, CVE-2022-23121, CVE-2022-0194

Bug#1051066: netatalk: 9 outstanding CVEs in Bullseye with available patches

Package: netatalk Version: 3.1.12~ds-8 Severity: critical Tags: patch security Justification: root security hole X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team Nine CVE security advisories were addressed in netatalk upstream releases between 3.1.13 and 3.1.15.

Bug#1025011: Release request filed

For the record, I have filed a request with the Release Team now to get the green light to upload Bullseye packages. See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325

Bug#1025011: [Pkg-netatalk-devel] Bug#1025011: fixed in netatalk 3.1.15~ds-1

On Wed, May 24, 2023 at 7:18 AM Moritz Mühlenhoff wrote: > [...] > It's nice that there's renewed interest, but this involves also taking > care of netatalk in stable, there's a range of issues (full list at > https://security-tracker.debian.org/tracker/source-package/netatalk) > which need to be