netatalk - Debian Package Tracker

general

source: netatalk (main)
version: 4.1.0~ds-1
maintainer: Debian Netatalk team (archive) (DMD)
uploaders: Daniel Markstedt [DMD] – Jonas Smedegaard [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.1.12~ds-3
o-o-sec: 3.1.12~ds-3+deb10u5
oldstable: 3.1.12~ds-8+deb11u1
old-sec: 3.1.12~ds-8+deb11u2
testing: 4.1.0~ds-1
unstable: 4.1.0~ds-1

versioned links

3.1.12~ds-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.12~ds-3+deb10u5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.12~ds-8+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.12~ds-8+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.1.0~ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

a2boot
atalkd
libatalk
libatalk-dev
macipgw
netatalk (9 bugs: 0, 8, 1, 0)
netatalk-doc
netatalk-tests
netatalk-tools
papd
timelord

action needed

3 security issues in buster high

There are 3 open security issues in buster.

3 important issues:

CVE-2024-38439: Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c.
CVE-2024-38440: Netatalk 3.2.0 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=<optimized out>, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=<optimized out>, rbuflen=<optimized out>) ... afp_over_dsi(obj=0x5555556154c0 <obj>).'
CVE-2024-38441: Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c.

Created: 2024-06-17 Last update: 2024-06-29 19:18

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-45188: Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).

Created: 2022-11-13 Last update: 2022-11-14 05:14

Depends on packages which need a new maintainer normal

The packages that netatalk depends on which need a new maintainer are:

db5.3 (#1055356)
- Depends: libdb5.3t64 libdb5.3t64
db-defaults (#1055344)
- Build-Depends: libdb-dev
docbook-xsl (#802370)
- Build-Depends: docbook-xsl

Created: 2023-09-18 Last update: 2025-01-20 13:34

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 244068950fecf0b9a19e4742dcdb850288609bcb
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Tue Jan 14 19:12:29 2025 +0100

    fix copyright path after upstream changes

Created: 2025-01-14 Last update: 2025-01-14 18:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-01-14 Last update: 2025-01-14 10:31

news

[rss feed]

[2025-01-16] netatalk 4.1.0~ds-1 MIGRATED to testing (Debian testing watch)
[2025-01-13] Accepted netatalk 4.1.0~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-12-20] netatalk 4.0.8~ds-1 MIGRATED to testing (Debian testing watch)
[2024-12-18] Accepted netatalk 4.0.8~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-12-08] netatalk 4.0.7~ds-2 MIGRATED to testing (Debian testing watch)
[2024-12-06] Accepted netatalk 4.0.7~ds-2 (source) into unstable (Jonas Smedegaard)
[2024-11-30] Accepted netatalk 4.0.7~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-11-27] Accepted netatalk 3.1.12~ds-8+deb11u2 (source) into oldstable-security (Thorsten Alteholz)
[2024-11-19] netatalk 4.0.6~ds-1 MIGRATED to testing (Debian testing watch)
[2024-11-16] Accepted netatalk 4.0.6~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-11-12] netatalk 4.0.5~ds-1 MIGRATED to testing (Debian testing watch)
[2024-11-10] Accepted netatalk 4.0.5~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-11-08] Accepted netatalk 4.0.4~ds-2 (source) into unstable (Jonas Smedegaard)
[2024-11-07] Accepted netatalk 4.0.4~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-11-02] netatalk 4.0.3~ds-2 MIGRATED to testing (Debian testing watch)
[2024-10-30] Accepted netatalk 4.0.3~ds-2 (source) into unstable (Jonas Smedegaard)
[2024-10-30] Accepted netatalk 4.0.3~ds-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Jonas Smedegaard)
[2024-10-28] Accepted netatalk 4.0.2~ds-2 (source) into unstable (Jonas Smedegaard)
[2024-10-20] Accepted netatalk 4.0.2~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-10-18] netatalk 4.0.1~ds-1 MIGRATED to testing (Debian testing watch)
[2024-10-12] Accepted netatalk 4.0.1~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-10-05] Accepted netatalk 4.0.0~ds-4 (source) into unstable (Jonas Smedegaard)
[2024-10-03] Accepted netatalk 4.0.0~ds-3 (source) into unstable (Jonas Smedegaard)
[2024-10-02] Accepted netatalk 4.0.0~ds-2 (source amd64 all) into experimental (Jonas Smedegaard)
[2024-10-01] Accepted netatalk 4.0.0~ds-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Jonas Smedegaard)
[2024-10-01] netatalk 3.2.10~ds-1 MIGRATED to testing (Debian testing watch)
[2024-09-26] Accepted netatalk 3.2.10~ds-1 (source) into unstable (Jonas Smedegaard)
[2024-09-26] netatalk 3.2.9~ds-3 MIGRATED to testing (Debian testing watch)
[2024-09-21] Accepted netatalk 3.2.9~ds-3 (source) into unstable (Jonas Smedegaard)
[2024-09-19] Accepted netatalk 3.2.9~ds-2 (source) into unstable (Jonas Smedegaard)

bugs [bug history graph]

all: 9
RC: 0
I&N: 8
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.1.0~ds-1
40 bugs