I prepared a deb patch and filed this upload request with the release team:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774
Package: netatalk
Version: 3.1.12~ds-3
Severity: critical
Tags: security
Justification: root security hole
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team
Under very specific circumstances, netatalk can be tricked into copying a
symlink or other malicious file
Please note: The vulnerability also affects 3.1.12~ds-8 in oldstable, and
3.1.15~ds-3 in unstable.
stable isn't distributing a netatalk package.
Package: netatalk
Version: 3.1.12~ds-3
Severity: critical
Tags: security
Justification: root security hole
A 0-day vulnerability patch has been published for the upstream project.
The CVE record has not been made public yet, but this is the body of the
advisory for the record:
A Type Confusion
--- Original Message ---
On Saturday, September 2nd, 2023 at 1:33 AM, Jonas Smedegaard
wrote:
>
> This is one bugreport about multiple issues. That easily gets confusing
> to track, e.g. if some of the issues are solved and some are not, for a
> certain release of the package (and
To add the justification for the critical severity of this ticket:
At least 6 of the 9 vulnerabilities grant theoretical root access of a Debian
system running non-patched netatalk.
CVE-2022-43634, CVE-2022-23124, CVE-2022-23123, CVE-2022-23122, CVE-2022-23121,
CVE-2022-0194
Package: netatalk
Version: 3.1.12~ds-8
Severity: critical
Tags: patch security
Justification: root security hole
X-Debbugs-Cc: pkg-netatalk-de...@alioth-lists.debian.net, Debian Security Team
Nine CVE security advisories were addressed in netatalk upstream
releases between 3.1.13 and 3.1.15.
For the record, I have filed a request with the Release Team now to
get the green light to upload Bullseye packages. See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049325
On Wed, May 24, 2023 at 7:18 AM Moritz Mühlenhoff wrote:
> [...]
> It's nice that there's renewed interest, but this involves also taking
> care of netatalk in stable, there's a range of issues (full list at
> https://security-tracker.debian.org/tracker/source-package/netatalk)
> which need to be
9 matches
Mail list logo