[Pkg-netatalk-devel] Critical patch after applying CVE fixes
Daniel Markstedt
markstedt at gmail.com
Thu May 25 06:53:41 BST 2023
The debbug has been filed now:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036740
Found the security team email address at:
https://security-team.debian.org/contact.html
Hopefully, this resource is up to date. :)
I also got my Gitlab account activated the other day, so I'll look
into fixing those integration tests.
On Wed, May 24, 2023 at 9:25 AM Daniel Markstedt <markstedt at gmail.com> wrote:
>
> Jonas,
>
> My apologies, I've been dealing with unemployment lately so I was
> caught up in being a full time job seeker.
> Right now I've hit something of a dry spell so I'll have time to
> follow up on this later today I think.
>
> Cheers!
> Daniel
>
> On Tue, May 16, 2023 at 9:42 PM Jonas Smedegaard <jonas at jones.dk> wrote:
> >
> > Quoting Daniel Markstedt (2023-05-17 00:20:31)
> > > I saw that the LTS team pulled in all the recent CVEs with
> > > 3.1.12~ds-3+deb10u1 into oldstable earlier today.
> > >
> > > One of those CVE fixes introduced a critical regression that causes
> > > instant segfaults in afpd.
> > > We need to apply the commits (at least 3/4) from this PR:
> > > https://github.com/Netatalk/netatalk/pull/174/commits
> > >
> > > The author is Markus Koschany <apo at debian.org> but I don't know if
> > > it's acceptable to reach out to the security team about things like
> > > this?
> > >
> > > The CVE fixes don't seem to be in
> > > https://sources.debian.org/src/netatalk/3.1.12~ds-3/ yet so I can't
> > > say for sure whether Markus applied the regression fix already or
> > > not...
> > >
> > > What's the best course of action here? It would suck if Buster users
> > > upgraded their packages and netatalk started crashing on them. ;)
> >
> > Please file a bugreport against netatalk, with the special header
> > X-Debbugs-Cc (which you also get when interactively using debbugs) to cc
> > the security team using their official address (uhm, on my way to school
> > and don't have it at hand, tell me if not easy to locate yourself).
> >
> > Thanks!
> >
> > - Jonas
> >
> > --
> > * Jonas Smedegaard - idealist & Internet-arkitekt
> > * Tlf.: +45 40843136 Website: http://dr.jones.dk/
> > * Sponsorship: https://ko-fi.com/drjones
> >
> > [x] quote me freely [ ] ask before reusing [ ] keep private
More information about the pkg-netatalk-devel
mailing list