[Pkg-netatalk-devel] Critical patch after applying CVE fixes
Daniel Markstedt
markstedt at gmail.com
Wed May 24 17:25:47 BST 2023
Jonas,
My apologies, I've been dealing with unemployment lately so I was
caught up in being a full time job seeker.
Right now I've hit something of a dry spell so I'll have time to
follow up on this later today I think.
Cheers!
Daniel
On Tue, May 16, 2023 at 9:42 PM Jonas Smedegaard <jonas at jones.dk> wrote:
>
> Quoting Daniel Markstedt (2023-05-17 00:20:31)
> > I saw that the LTS team pulled in all the recent CVEs with
> > 3.1.12~ds-3+deb10u1 into oldstable earlier today.
> >
> > One of those CVE fixes introduced a critical regression that causes
> > instant segfaults in afpd.
> > We need to apply the commits (at least 3/4) from this PR:
> > https://github.com/Netatalk/netatalk/pull/174/commits
> >
> > The author is Markus Koschany <apo at debian.org> but I don't know if
> > it's acceptable to reach out to the security team about things like
> > this?
> >
> > The CVE fixes don't seem to be in
> > https://sources.debian.org/src/netatalk/3.1.12~ds-3/ yet so I can't
> > say for sure whether Markus applied the regression fix already or
> > not...
> >
> > What's the best course of action here? It would suck if Buster users
> > upgraded their packages and netatalk started crashing on them. ;)
>
> Please file a bugreport against netatalk, with the special header
> X-Debbugs-Cc (which you also get when interactively using debbugs) to cc
> the security team using their official address (uhm, on my way to school
> and don't have it at hand, tell me if not easy to locate yourself).
>
> Thanks!
>
> - Jonas
>
> --
> * Jonas Smedegaard - idealist & Internet-arkitekt
> * Tlf.: +45 40843136 Website: http://dr.jones.dk/
> * Sponsorship: https://ko-fi.com/drjones
>
> [x] quote me freely [ ] ask before reusing [ ] keep private
More information about the pkg-netatalk-devel
mailing list