Register | Log in

netatalk

Apple Filing Protocol service

Choose email to subscribe with

general

source: netatalk (main)
version: 4.0.6~ds-1
maintainer: Debian Netatalk team (archive) (DMD)
uploaders: Daniel Markstedt [DMD] – Jonas Smedegaard [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.1.12~ds-3
o-o-sec: 3.1.12~ds-3+deb10u5
oldstable: 3.1.12~ds-8+deb11u1
old-sec: 3.1.12~ds-8+deb11u1
testing: 4.0.6~ds-1
unstable: 4.0.6~ds-1

versioned links

3.1.12~ds-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.12~ds-3+deb10u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.12~ds-8+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.6~ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

a2boot
atalkd
libatalk
libatalk-dev
macipgw
netatalk (9 bugs: 0, 8, 1, 0)
netatalk-doc
netatalk-tests
netatalk-tools
papd
timelord

action needed

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2024-38439: Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19 are also fixed versions.
CVE-2024-38440: Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=<optimized out>, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=<optimized out>, rbuflen=<optimized out>) ... afp_over_dsi(obj=0x5555556154c0 <obj>).' 2.4.1 and 3.1.19 are also fixed versions.
CVE-2024-38441: Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions.

1 issue that should be fixed with the next stable update:

CVE-2022-22995: The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combination of primitives, an attacker can execute arbitrary code.

Created: 2024-06-17 Last update: 2024-11-19 07:00

3 security issues in buster high

There are 3 open security issues in buster.

3 important issues:

CVE-2024-38439: Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c.
CVE-2024-38440: Netatalk 3.2.0 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=<optimized out>, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=<optimized out>, rbuflen=<optimized out>) ... afp_over_dsi(obj=0x5555556154c0 <obj>).'
CVE-2024-38441: Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c.

Created: 2024-06-17 Last update: 2024-06-29 19:18

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-45188: Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).

Created: 2022-11-13 Last update: 2022-11-14 05:14

Depends on packages which need a new maintainer normal

The packages that netatalk depends on which need a new maintainer are:

db5.3 (#1055356)
- Depends: libdb5.3t64 libdb5.3t64
db-defaults (#1055344)
- Build-Depends: libdb-dev
docbook-xsl (#802370)
- Build-Depends: docbook-xsl

Created: 2023-09-18 Last update: 2024-11-24 18:01

testing migrations

This package will soon be part of the auto-openldap transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2024-11-19] netatalk 4.0.6~ds-1 MIGRATED to testing (Debian testing watch)
[2024-11-16] Accepted netatalk 4.0.6~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-11-12] netatalk 4.0.5~ds-1 MIGRATED to testing (Debian testing watch)
[2024-11-10] Accepted netatalk 4.0.5~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-11-08] Accepted netatalk 4.0.4~ds-2 (source) into unstable (Jonas Smedegaard)
[2024-11-07] Accepted netatalk 4.0.4~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-11-02] netatalk 4.0.3~ds-2 MIGRATED to testing (Debian testing watch)
[2024-10-30] Accepted netatalk 4.0.3~ds-2 (source) into unstable (Jonas Smedegaard)
[2024-10-30] Accepted netatalk 4.0.3~ds-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Jonas Smedegaard)
[2024-10-28] Accepted netatalk 4.0.2~ds-2 (source) into unstable (Jonas Smedegaard)
[2024-10-20] Accepted netatalk 4.0.2~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-10-18] netatalk 4.0.1~ds-1 MIGRATED to testing (Debian testing watch)
[2024-10-12] Accepted netatalk 4.0.1~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-10-05] Accepted netatalk 4.0.0~ds-4 (source) into unstable (Jonas Smedegaard)
[2024-10-03] Accepted netatalk 4.0.0~ds-3 (source) into unstable (Jonas Smedegaard)
[2024-10-02] Accepted netatalk 4.0.0~ds-2 (source amd64 all) into experimental (Jonas Smedegaard)
[2024-10-01] Accepted netatalk 4.0.0~ds-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Jonas Smedegaard)
[2024-10-01] netatalk 3.2.10~ds-1 MIGRATED to testing (Debian testing watch)
[2024-09-26] Accepted netatalk 3.2.10~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-09-26] netatalk 3.2.9~ds-3 MIGRATED to testing (Debian testing watch)
[2024-09-21] Accepted netatalk 3.2.9~ds-3 (source) into unstable (Jonas Smedegaard)
[2024-09-19] Accepted netatalk 3.2.9~ds-2 (source) into unstable (Jonas Smedegaard)
[2024-09-18] Accepted netatalk 3.2.9~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-08-23] netatalk REMOVED from testing (Debian testing watch)
[2024-07-03] netatalk 3.1.18~ds-2 MIGRATED to testing (Debian testing watch)
[2024-07-01] Accepted netatalk 3.1.18~ds-2 (source) into unstable (Jonas Smedegaard)
[2024-01-04] Accepted netatalk 3.1.12~ds-3+deb10u5 (source) into oldoldstable (Markus Koschany)
[2023-10-11] netatalk 3.1.18~ds-1 MIGRATED to testing (Debian testing watch)
[2023-10-06] Accepted netatalk 3.1.18~ds-1 (source amd64) into unstable (Jonas Smedegaard)
[2023-09-25] Accepted netatalk 3.1.12~ds-3+deb10u4 (source) into oldoldstable (Markus Koschany)

1
2

bugs [bug history graph]

all: 9
RC: 0
I&N: 8
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.2.9~ds-1
40 bugs

Debian Package Tracker — Copyright 2013-2018 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing