[Pkg-netatalk-devel] Bug#1025011: Bug#1025011: fixed in netatalk 3.1.15~ds-1

[Daniel Markstedt]

On Wed, May 24, 2023 at 7:18 AM Moritz Mühlenhoff <jmm at inutil.org> wrote:
> [...]
> It's nice that there's renewed interest, but this involves also taking
> care of netatalk in stable, there's a range of issues (full list at
> https://security-tracker.debian.org/tracker/source-package/netatalk)
> which need to be backported to bullseye-security.
>
> I'm reopening the bug, it can be closed with the respective upload
> to bullseye-security.
>
> Cheers,
>         Moritz
>

Since both buster and bullseye use the same base version of netatalk
(3.1.12) the work required here should be straight-forward: Simply
bring over the CVE patchset that were applied to buster-security.

A snippet from `apt source netatalk` on buster:
[...]
dpkg-source: info: applying CVE-2022-45188.patch
dpkg-source: info: applying CVE-2022-43634.patch
dpkg-source: info: applying CVE-2022-23125.patch
dpkg-source: info: applying CVE-2022-23121.patch
dpkg-source: info: applying CVE-2021-31439.patch
dpkg-source: info: applying CVE-2022-23123_part1.patch
dpkg-source: info: applying CVE-2022-23123_part2.patch
dpkg-source: info: applying CVE-2022-23123_part3.patch
dpkg-source: info: applying CVE-2022-23123_part4.patch
dpkg-source: info: applying CVE-2022-23123_part5.patch
dpkg-source: info: applying CVE-2022-23121_regression.patch

The only real difference between buster and bullseye netatalk 3.1.12
is that the latter have a few extra backported crashfixes etc. I had a
quick look and concluded that they shouldn't interfere with the CVE
patches.

I'd be happy to try to achieve the "upload to bullseye-security" if
you all can give me some pointers. This is all new to me.

Best regards,
Daniel