[Pkg-netatalk-devel] Critical patch after applying CVE fixes
Daniel Markstedt
markstedt at gmail.com
Tue May 16 23:20:31 BST 2023
Hi Jonas,
I saw that the LTS team pulled in all the recent CVEs with
3.1.12~ds-3+deb10u1 into oldstable earlier today.
One of those CVE fixes introduced a critical regression that causes
instant segfaults in afpd.
We need to apply the commits (at least 3/4) from this PR:
https://github.com/Netatalk/netatalk/pull/174/commits
The author is Markus Koschany <apo at debian.org> but I don't know if
it's acceptable to reach out to the security team about things like
this?
The CVE fixes don't seem to be in
https://sources.debian.org/src/netatalk/3.1.12~ds-3/ yet so I can't
say for sure whether Markus applied the regression fix already or
not...
What's the best course of action here? It would suck if Buster users
upgraded their packages and netatalk started crashing on them. ;)
Cheers,
Daniel
More information about the pkg-netatalk-devel
mailing list