netatalk - Debian Package Tracker

general

source: netatalk (main)
version: 4.4.3~ds-1
maintainer: Debian Netatalk team (archive) (DMD)
uploaders: Daniel Markstedt [DMD] [DM] – Jonas Smedegaard [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.1.12~ds-8+deb11u1
o-o-sec: 3.1.12~ds-8+deb11u2
stable: 4.2.3~ds-1+deb13u1
stable-sec: 4.2.3~ds-1+deb13u2
stable-p-u: 4.2.3~ds-1+deb13u2
testing: 4.4.3~ds-1
unstable: 4.4.3~ds-1

versioned links

3.1.12~ds-8+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.12~ds-8+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.2.3~ds-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.2.3~ds-1+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.3~ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

a2boot
atalkd
libatalk
libatalk-dev
macipgw
netatalk (10 bugs: 0, 9, 1, 0)
netatalk-doc
netatalk-tests
netatalk-tools
papd
timelord

action needed

7 security issues in sid high

There are 7 open security issues in sid.

7 important issues:

CVE-2026-44053: Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.
CVE-2026-44056: A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data.
CVE-2026-44058: An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.
CVE-2026-44061: Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
CVE-2026-44063: An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.
CVE-2026-44065: An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data.
CVE-2026-44067: A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.

Created: 2026-05-14 Last update: 2026-05-22 22:17

7 security issues in forky high

There are 7 open security issues in forky.

7 important issues:

CVE-2026-44053: Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.
CVE-2026-44056: A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data.
CVE-2026-44058: An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.
CVE-2026-44061: Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
CVE-2026-44063: An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.
CVE-2026-44065: An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data.
CVE-2026-44067: A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.

Created: 2026-05-14 Last update: 2026-05-22 22:17

27 security issues in bullseye high

There are 27 open security issues in bullseye.

27 important issues:

CVE-2026-44047: An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service.
CVE-2026-44048: A stack-based buffer overflow via UCS-2 type confusion in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service.
CVE-2026-44049: An out-of-bounds write due to improper null termination in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character data.
CVE-2026-44050: A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause a denial of service.
CVE-2026-44051: An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation.
CVE-2026-44052: Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials.
CVE-2026-44053: Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.
CVE-2026-44054: Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect mechanism.
CVE-2026-44055: A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code.
CVE-2026-44056: A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data.
CVE-2026-44057: A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through 4.4.2 results in an unreachable code path that provides no effective bounds protection, which may allow a remote authenticated attacker to obtain limited information via crafted Spotlight RPC requests.
CVE-2026-44058: An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.
CVE-2026-44060: An integer underflow in dsi_writeinit() in Netatalk 1.5.0 through 4.4.2 allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request.
CVE-2026-44061: Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
CVE-2026-44062: A missing output length bounds check in pull_charset_flags() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character set data.
CVE-2026-44063: An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.
CVE-2026-44064: An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request.
CVE-2026-44065: An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data.
CVE-2026-44066: Multiple heap out-of-bounds reads in the Spotlight RPC unmarshalling code in Netatalk 3.1.0 through 4.4.2 allow a remote authenticated attacker to obtain sensitive information or cause a minor service disruption.
CVE-2026-44067: A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.
CVE-2026-44068: Incomplete sanitization of extended attribute (EA) path components in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names.
CVE-2026-44076: Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path.
CVE-2026-45354:
CVE-2026-45355:
CVE-2026-45356:
CVE-2026-45698:
CVE-2026-45699:

Created: 2026-05-14 Last update: 2026-05-22 22:17

3 security issues in buster high

There are 3 open security issues in buster.

3 important issues:

CVE-2024-38439: Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c.
CVE-2024-38440: Netatalk 3.2.0 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=<optimized out>, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=<optimized out>, rbuflen=<optimized out>) ... afp_over_dsi(obj=0x5555556154c0 <obj>).'
CVE-2024-38441: Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c.

Created: 2024-06-17 Last update: 2024-06-29 19:18

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-45188: Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).

Created: 2022-11-13 Last update: 2022-11-14 05:14

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-11-15 Last update: 2026-05-28 22:37

Depends on packages which need a new maintainer normal

The packages that netatalk depends on which need a new maintainer are:

db5.3 (#1055356)
- Depends: libdb5.3t64 libdb5.3t64
systemtap (#1114760)
- Build-Depends: systemtap-sdt-dev
db-defaults (#1055344)
- Build-Depends: libdb-dev

Created: 2023-09-18 Last update: 2026-05-28 21:03

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit fb9f6e3a36a6419c0237de39c9ad258bed1fa1d3
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Wed May 20 07:54:24 2026 +0200

    update to unstable release and high priority

Created: 2026-05-20 Last update: 2026-05-26 19:32

lintian reports 84 warnings normal

Lintian reports 84 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-22 Last update: 2026-04-22 09:00

7 low-priority security issues in trixie low

There are 7 open security issues in trixie.

7 issues left for the package maintainer to handle:

CVE-2026-44053: (postponed; to be fixed through a stable update) Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.
CVE-2026-44056: (postponed; to be fixed through a stable update) A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data.
CVE-2026-44058: (postponed; to be fixed through a stable update) An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.
CVE-2026-44061: (postponed; to be fixed through a stable update) Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
CVE-2026-44063: (postponed; to be fixed through a stable update) An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.
CVE-2026-44065: (postponed; to be fixed through a stable update) An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data.
CVE-2026-44067: (postponed; to be fixed through a stable update) A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-14 Last update: 2026-05-22 22:17

news

[rss feed]

[2026-05-23] netatalk 4.4.3~ds-1 MIGRATED to testing (Debian testing watch)
[2026-05-22] Accepted netatalk 4.2.3~ds-1+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-05-20] Accepted netatalk 4.4.3~ds-1 (source) into unstable (Daniel Markstedt)
[2026-05-18] Accepted netatalk 4.2.3~ds-1+deb13u2 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-04-24] netatalk 4.4.2~ds-1 MIGRATED to testing (Debian testing watch)
[2026-04-22] Accepted netatalk 4.4.2~ds-1 (source) into unstable (Daniel Markstedt)
[2026-04-15] netatalk 4.4.1~ds-1 MIGRATED to testing (Debian testing watch)
[2026-04-12] Accepted netatalk 4.4.1~ds-1 (source) into unstable (Daniel Markstedt)
[2026-03-28] Accepted netatalk 4.2.3~ds-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Daniel Markstedt)
[2025-12-19] netatalk 4.2.3~ds-2.1 MIGRATED to testing (Debian testing watch)
[2025-12-17] Accepted netatalk 4.2.3~ds-2.1 (source) into unstable (Adrian Bunk)
[2025-10-08] netatalk 4.2.3~ds-2 MIGRATED to testing (Debian testing watch)
[2025-10-05] Accepted netatalk 4.2.3~ds-2 (source) into unstable (Jonas Smedegaard)
[2025-06-03] netatalk 4.2.3~ds-1 MIGRATED to testing (Debian testing watch)
[2025-05-13] Accepted netatalk 4.2.3~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-04-26] netatalk 4.2.1~ds-1 MIGRATED to testing (Debian testing watch)
[2025-04-16] Accepted netatalk 4.2.1~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-04-12] Accepted netatalk 4.2.0~ds-3 (source) into unstable (Jonas Smedegaard)
[2025-04-12] Accepted netatalk 4.2.0~ds-2+exp (source) into experimental (Jonas Smedegaard)
[2025-04-08] Accepted netatalk 4.2.0~ds-2 (source) into unstable (Jonas Smedegaard)
[2025-04-06] Accepted netatalk 4.2.0~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-03-10] netatalk 4.1.2~ds-4 MIGRATED to testing (Debian testing watch)
[2025-03-08] Accepted netatalk 4.1.2~ds-4 (source) into unstable (Jonas Smedegaard)
[2025-02-25] Accepted netatalk 4.1.2~ds-3 (source) into unstable (Jonas Smedegaard)
[2025-02-24] Accepted netatalk 4.1.2~ds-2 (source) into unstable (Jonas Smedegaard)
[2025-02-15] netatalk 4.1.2~ds-1 MIGRATED to testing (Debian testing watch)
[2025-02-13] Accepted netatalk 4.1.2~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-01-28] netatalk 4.1.1~ds-1 MIGRATED to testing (Debian testing watch)
[2025-01-24] Accepted netatalk 4.1.1~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-01-16] netatalk 4.1.0~ds-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 10
RC: 0
I&N: 9
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 84)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.2.3~ds-2.1
40 bugs