netatalk - Debian Package Tracker

general

source: netatalk (main)
version: 4.4.3~ds-1
maintainer: Debian Netatalk team (archive) (DMD)
uploaders: Daniel Markstedt [DMD] [DM] – Jonas Smedegaard [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.1.12~ds-8+deb11u1
o-o-sec: 3.1.12~ds-8+deb11u2
stable: 4.2.3~ds-1+deb13u1
stable-sec: 4.2.3~ds-1+deb13u2
stable-p-u: 4.2.3~ds-1+deb13u2
testing: 4.4.3~ds-1
unstable: 4.4.3~ds-1

versioned links

3.1.12~ds-8+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.1.12~ds-8+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.2.3~ds-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.2.3~ds-1+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.4.3~ds-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

a2boot
atalkd
libatalk
libatalk-dev
macipgw
netatalk (32 bugs: 22, 9, 1, 0)
netatalk-doc
netatalk-tests
netatalk-tools
papd
timelord

action needed

11 security issues in sid high

There are 11 open security issues in sid.

11 important issues:

CVE-2026-44053: Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.
CVE-2026-44056: A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data.
CVE-2026-44058: An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.
CVE-2026-44061: Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
CVE-2026-44063: An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.
CVE-2026-44065: An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data.
CVE-2026-44067: A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.
CVE-2026-49387:
CVE-2026-49388:
CVE-2026-49389:
CVE-2026-49390:

Created: 2026-05-14 Last update: 2026-05-31 16:30

11 security issues in forky high

There are 11 open security issues in forky.

11 important issues:

CVE-2026-44053: Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.
CVE-2026-44056: A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data.
CVE-2026-44058: An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.
CVE-2026-44061: Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
CVE-2026-44063: An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.
CVE-2026-44065: An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data.
CVE-2026-44067: A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.
CVE-2026-49387:
CVE-2026-49388:
CVE-2026-49389:
CVE-2026-49390:

Created: 2026-05-14 Last update: 2026-05-31 16:30

31 security issues in bullseye high

There are 31 open security issues in bullseye.

31 important issues:

CVE-2026-44047: An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service.
CVE-2026-44048: A stack-based buffer overflow via UCS-2 type confusion in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service.
CVE-2026-44049: An out-of-bounds write due to improper null termination in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character data.
CVE-2026-44050: A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause a denial of service.
CVE-2026-44051: An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation.
CVE-2026-44052: Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials.
CVE-2026-44053: Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.
CVE-2026-44054: Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect mechanism.
CVE-2026-44055: A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code.
CVE-2026-44056: A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data.
CVE-2026-44057: A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through 4.4.2 results in an unreachable code path that provides no effective bounds protection, which may allow a remote authenticated attacker to obtain limited information via crafted Spotlight RPC requests.
CVE-2026-44058: An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.
CVE-2026-44060: An integer underflow in dsi_writeinit() in Netatalk 1.5.0 through 4.4.2 allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request.
CVE-2026-44061: Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
CVE-2026-44062: A missing output length bounds check in pull_charset_flags() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character set data.
CVE-2026-44063: An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.
CVE-2026-44064: An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request.
CVE-2026-44065: An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data.
CVE-2026-44066: Multiple heap out-of-bounds reads in the Spotlight RPC unmarshalling code in Netatalk 3.1.0 through 4.4.2 allow a remote authenticated attacker to obtain sensitive information or cause a minor service disruption.
CVE-2026-44067: A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.
CVE-2026-44068: Incomplete sanitization of extended attribute (EA) path components in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names.
CVE-2026-44076: Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path.
CVE-2026-45354:
CVE-2026-45355:
CVE-2026-45356:
CVE-2026-45698:
CVE-2026-45699:
CVE-2026-49387:
CVE-2026-49388:
CVE-2026-49389:
CVE-2026-49390:

Created: 2026-05-14 Last update: 2026-05-31 16:30

3 security issues in buster high

There are 3 open security issues in buster.

3 important issues:

CVE-2024-38439: Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c.
CVE-2024-38440: Netatalk 3.2.0 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=<optimized out>, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=<optimized out>, rbuflen=<optimized out>) ... afp_over_dsi(obj=0x5555556154c0 <obj>).'
CVE-2024-38441: Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c.

Created: 2024-06-17 Last update: 2024-06-29 19:18

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-45188: Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).

Created: 2022-11-13 Last update: 2022-11-14 05:14

Depends on packages which need a new maintainer normal

The packages that netatalk depends on which need a new maintainer are:

db5.3 (#1055356)
- Depends: libdb5.3t64 libdb5.3t64
systemtap (#1114760)
- Build-Depends: systemtap-sdt-dev
db-defaults (#1055344)
- Build-Depends: libdb-dev

Created: 2023-09-18 Last update: 2026-06-01 12:01

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-11-15 Last update: 2026-06-01 11:16

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 4.5.0~ds-1, distribution unstable) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit 42d6e8640b9fcb91472fbad79544467d4acb2e8b
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 08:05:20 2026 +0200

    remove superfluous copyright file patterns

commit 0e06362a279751d9e24a217f3803f5dace55b211
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 08:02:29 2026 +0200

    install dconf profile

commit 2504d78ef227fb27d670005c140a0551fb7248df
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 08:01:30 2026 +0200

    remove man pages no longer distributed

commit 12471e327feaee15b26ea0190739430881fc1db3
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 08:00:00 2026 +0200

    install SRP library

commit c7b0271ecdff6cc81883c72b0570789055951004
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 07:53:18 2026 +0200

    patch implicit header import bug

commit 336285c621cd02bf5b9c28eb55dcaa7a57cae06f
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 07:55:56 2026 +0200

    we no longer distribute macusers

commit cad319db51e01ae3d11b00527c93f9abade437f7
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 07:55:12 2026 +0200

    bump to soversion 20

commit c5031b8ebd5d7343c74cd7d2457dad60d22b11eb
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 07:34:01 2026 +0200

    update changelog

commit cf1000ac043bcb9e62efd0fd5d3bd4a5778abe83
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 07:39:40 2026 +0200

    configure spotlight backends

commit ff1c01906092918fbc3962edfbf2e9434644f393
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon Jun 1 07:35:19 2026 +0200

    unfuzz patch

commit 8e9cba2a407710ca834fa1c0fdce254f7a3d9109
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 23:21:55 2026 +0200

    update smoketests

commit 5c523e5c6c6d7d78d66049507f1b090d4f8ddfd2
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 23:15:25 2026 +0200

    tests are bigendian compatible now

commit 8c30f6efed140ec05c9361659e4ca49f81c393a7
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 23:11:11 2026 +0200

    a few readmes have been removed

commit ae28bc104799395bc443c59c7cc649d517f8585a
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 23:09:28 2026 +0200

    we no longer ship a dbus conf for afpstats

commit 349000388dfbb8ef1ebb72eb6628c379ac6d537e
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 23:07:44 2026 +0200

    update comment

commit e2aeea6327677ffed534f689ec6df59010ead929
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 23:06:05 2026 +0200

    soversion bumped to v20

commit 01cab8c6f62dd8660f3b7cc6376c70927f166cf1
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 23:04:14 2026 +0200

    use centralized descriptions

commit fb963a08df5eae1179c96200ea2ba03595cf7b98
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 22:55:58 2026 +0200

    switch to the light-weight libev

commit 3eda9557f4da5c260f5e0ed23b232937dfb11703
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 22:55:32 2026 +0200

    update control for v4.5.0

commit 83333a403a7864656c69128daeed48befcad93ab
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 22:30:34 2026 +0200

    update copyright

commit 1e1ec1ed53978842ef98aa35cc1d571670c5961b
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 21:22:35 2026 +0200

    update copyright_hints

commit ed7f7d090eae1f0a37f46be50009ef8af9c587fe
Merge: fb9f6e3a d850356a
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 21:03:58 2026 +0200

    Update upstream source from tag 'upstream/4.5.0_ds'
    
    Update to upstream version '4.5.0~ds'
    with Debian dir 90b020a5a49bd16ffbc60cb14244161a291cae66

commit d850356afe4effb1608cb061ef103442ef4c2028
Merge: 01c12a7f 3fcb0e10
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 31 21:03:51 2026 +0200

    New upstream version 4.5.0~ds

commit 3fcb0e10345bd2ff4bc1e27265f7c9cd1c9e182b
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sat May 30 14:06:29 2026 +0200

    move containers readme to repository root
    
    this makes it so that documentation that is to be distributed and
    published to the website is always either under the doc/ subdir or
    in the repository root

commit b35b4130492e8e9aaaa1708c6e7df5e6ec56dbe2
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sat May 30 09:45:59 2026 +0200

    docs: improve Japanese localization wordings and grammar

commit 2b20258187035e036331db1caef2d461d9ffe19a
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Thu May 21 18:43:49 2026 +0200

    docs: refresh Japanese localization

commit 96873e1882c892061238f33331d40181ef0ac439
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Thu May 21 19:34:43 2026 +0200

    docs: minor tweaks to the manual for clarity

commit 5b15beeaa76e552719f2509ccc1601ac892ccef5
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sat May 30 08:27:31 2026 +0200

    add advisories

commit d639228cccf9cadd7d4bcc6db8d95b530b9af9fb
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sat May 30 08:23:44 2026 +0200

    update changelog

commit 06c6a4186a25375f7dbd61a2253e35e8dd1bef17
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sat May 23 22:51:46 2026 +0200

    CVE-2026-49390: afpd: strictly parse server quantum
    
    Reported-by: Michalis Vasileiadis (@vmihalis)
    Signed-off-by: Daniel Markstedt <daniel@mindani.net>
    Reviewed-by: Andy Lemin (@andylemin)

commit 5a343d1aa53dc406aca922f7c379ab82d0decd3e
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sat May 23 20:56:14 2026 +0200

    testsuite: add FPCatSearch and FPCatSearchExt error case tests
    
    Co-authored-by: Michalis Vasileiadis (@vmihalis)
    Signed-off-by: Daniel Markstedt <daniel@mindani.net>
    Reviewed-by: Andy Lemin (@andylemin)

commit 39bd5c0fc78b21c05e3eac2501ae92290c61f3f0
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sat May 23 20:47:29 2026 +0200

    CVE-2026-49389: afpd: bound CatSearch search-spec length and reject truncated specs
    
    Reported-by: Michalis Vasileiadis (@vmihalis)
    Co-authored-by: Michalis Vasileiadis (@vmihalis)
    Signed-off-by: Daniel Markstedt <daniel@mindani.net>
    Reviewed-by: Andy Lemin (@andylemin)

commit 117c7679642a0b4c986ea68d51f6a7fc655527fd
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon May 25 21:38:31 2026 +0200

    CVE-2026-49387,CVE-2026-49388: afpd: bound Spotlight unmarshalling reads
    
    Reported-by: Michalis Vasileiadis (@vmihalis)
    Signed-off-by: Daniel Markstedt <daniel@mindani.net>
    Reviewed-by: Andy Lemin (@andylemin)

commit b81c3e7dd917380b43db2343fa6cd460487176b0
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon May 25 21:10:20 2026 +0200

    testsuite: add FPSpotlightRPC error case tests

commit 9cbf31d1ee382a42a7ac2b676c3a0d6f20f98cd1
Author: NJRoadfan <NJRoadfan@users.noreply.github.com>
Date:   Fri May 29 23:41:17 2026 -0400

    meson: Fix detection of libatomic
    
    Currently if the test for built-in GCC atomic functions fails, meson only searches for the libatomic library at the default location. Some platforms install the library in an alternate location (ex: NetBSD/m68k), so we search those additional locations. If the library is found, update the linker args to search that directory. Fixes #3043.

commit ae54748b066bf4b0e1c01e9f524e2c83fea14dc1
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sat May 30 00:03:57 2026 +0200

    ci: add libev dependency to macOS spectest job

commit 6a36f459e032d38b54a302f611e10a28b919eb8c
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Fri May 29 23:40:13 2026 +0200

    meson: generate compilation doc on the fly, don't store in git
    
    the COMPILATION.md doc is only meant to be published on the website,
    so rather than storing a snapshot in git that has to be refreshed
    regularly, let it be built on the fly only when needed
    
    this saves us some manual overhead for each release

commit 4a186c1e42496ae8e7631d2808f900ab772226d8
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Fri May 29 19:47:26 2026 +0200

    docs: import YAML::PP preserve constant directly
    
    Ubuntu 22.04 ships YAML::PP 0.029, whose YAML::PP::Common module
    does not provide the :PRESERVE export tag used by newer releases.
    
    Import PRESERVE_ORDER explicitly instead, which is the only constant
    this helper needs and keeps make_compile_docs.pl compatible with
    both old and new YAML::PP versions.

commit 077b9bc9002c6d67fce3e2eb3370214fd13414e4
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Thu May 28 19:52:59 2026 +0200

    meson: introduce a -Dwith-docs-only option
    
    the -Dwith-docs-only option bypasses all source code compilation
    and generates only the documentation
    
    the primary purpose of this option is to build the docs for the
    netatalk.io website when using the -Dwith-website option,
    deployed as a submodule of the netatalk.io git repository

commit 7425e025f941f6fe94872f8ab8fb112e3ec49a5c
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Wed May 27 23:17:52 2026 +0200

    test: report afpd integration checks with TAP
    
    Add a TAP output mode to the afpd integration test harness and run
    it through Meson's TAP protocol so individual assertions are visible
    in Meson test output. Preserve the existing direct-run output by
    default and keep TAP output on the original stdout even after afpd
    logging setup.
    
    Bump the Meson requirement to 0.62.0 for verbose TAP test reporting
    and print the afpd integration tests in the setup summary.

commit f20656d807fbfc69270ba4fd7963a4443a0068e1
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Wed May 27 21:14:05 2026 +0200

    afp.conf: default cnid server host-only port
    
    Preserve the configured CNID server host when no port is specified
    and default the port to 4700. Also split volume-level host:port
    values on the owned copy so the stored server name is clean.
    
    Check CNID server parsing allocations before logging or using the
    parsed host and port, avoiding NULL string arguments on allocation
    failure.
    
    Clarify cnid server/listen documentation for hostnames and the
    default port.
    
    Add afpd integration test coverage for host-only global CNID server
    config.
    
    Reported-by: plouflechien (@pm)
    Signed-off-by: Daniel Markstedt <daniel@mindani.net>

commit 16342d4fb572683020f32b6c84424432369c4c6a
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Tue May 26 15:55:24 2026 +0000

    build(deps): bump github/codeql-action in /.github/workflows
    
    Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.3 to 4.35.4.
    - [Release notes](https://github.com/github/codeql-action/releases)
    - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
    - [Commits](https://github.com/github/codeql-action/compare/e46ed2cbd01164d986452f91f178727624ae40d7...68bde559dea0fdcac2102bfdf6230c5f70eb485e)
    
    ---
    updated-dependencies:
    - dependency-name: github/codeql-action
      dependency-version: 4.35.4
      dependency-type: direct:production
      update-type: version-update:semver-patch
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>

commit 668ac922c320a447bd8f6e83c96aec4e3985a60a
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Tue May 26 15:53:27 2026 +0000

    build(deps): bump debian from 13.4-slim to 13.5-slim in /distrib/docker
    
    Bumps debian from 13.4-slim to 13.5-slim.
    
    ---
    updated-dependencies:
    - dependency-name: debian
      dependency-version: 13.5-slim
      dependency-type: direct:production
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>

commit 2182c6eb398902761c084ebc914ac670299ccb84
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon May 25 20:56:10 2026 +0200

    spotlight: drain ready localsearch callbacks on fetch
    
    The AFP client can poll fetchQueryResultsForContext immediately
    after the Tracker query callback has queued the first cursor_next_async(),
    but before the cursor callback has populated the current page or
    marked the query done.
    
    Run ready GLib main-context callbacks while the current page is still
    empty so localsearch returns the first available result page, or DONE
    for an empty result set, instead of repeated empty pending pages.
    Also continue cursor iteration when Tracker returns a row without a URI.

commit 45872c053998143ce44954d7c6f4cf735d3c0014
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon May 25 20:18:45 2026 +0200

    webmin: centralize select builder options in core library
    
    rather than repeatedly hard coding each option list, define a hash
    centrally in netatalk-lib.pl and read it in each module with the
    new build_parameter_select method
    
    this makes it more straight forward to add and maintain select
    options, while reducing code repetition and potential for mistakes

commit f43bb3f4e5a2da8c3055b87434d28a7c57f7960e
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Mon May 25 07:36:57 2026 +0200

    afpd: report client address in afpstats
    
    Send the connected client host/address in the login IPC payload
    instead of the configured server hostname. Resolve TCP clients to
    reverse-DNS names when available, fall back to normalized IP strings,
    and report AppleTalk sessions by DDP net.node address.

commit 38383de61fc99e5c11c8028f7e87b52f294157a1
Author: NJRoadfan <NJRoadfan@users.noreply.github.com>
Date:   Mon May 25 10:34:05 2026 -0400

    webmin: Add xapian spotlight backend

commit 4bc16133ca22b2bba3537a77cecabbeab67bb345
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 24 15:49:09 2026 +0200

    distrib: harden container CNID MySQL setup
    
    Ref. GHSA-prvr-w43r-xf5r
    
    Reported-by: Michalis Vasileiadis (@vmihalis)
    Signed-off-by: Daniel Markstedt <daniel@mindani.net>

commit 6e4a3e1adb37324523afc17404b2ce4c66d0794d
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 24 08:59:35 2026 +0200

    distrib: curl command to use HTTPS protocol

commit ed65c08a5a7767c9690361ffb8e5e4f3bc9d8426
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Sun May 24 08:34:32 2026 +0200

    distrib: pin to specific Webmin version in container build
    
    Ref. GHSA-7fch-hrhx-h3mq
    
    Reported-by: Michalis Vasileiadis (@vmihalis)
    Signed-off-by: Daniel Markstedt <daniel@mindani.net>

commit fb9f6e3a36a6419c0237de39c9ad258bed1fa1d3
Author: Daniel Markstedt <daniel@mindani.net>
Date:   Wed May 20 07:54:24 2026 +0200

    update to unstable release and high priority

Created: 2026-05-20 Last update: 2026-06-01 07:30

lintian reports 84 warnings normal

Lintian reports 84 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-22 Last update: 2026-04-22 09:00

11 low-priority security issues in trixie low

There are 11 open security issues in trixie.

11 issues left for the package maintainer to handle:

CVE-2026-44053: (postponed; to be fixed through a stable update) Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.
CVE-2026-44056: (postponed; to be fixed through a stable update) A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data.
CVE-2026-44058: (postponed; to be fixed through a stable update) An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.
CVE-2026-44061: (postponed; to be fixed through a stable update) Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
CVE-2026-44063: (postponed; to be fixed through a stable update) An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input.
CVE-2026-44065: (postponed; to be fixed through a stable update) An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data.
CVE-2026-44067: (postponed; to be fixed through a stable update) A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data.
CVE-2026-49387: (needs triaging)
CVE-2026-49388: (needs triaging)
CVE-2026-49389: (needs triaging)
CVE-2026-49390: (needs triaging)

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-14 Last update: 2026-05-31 16:30

news

[rss feed]

[2026-05-23] netatalk 4.4.3~ds-1 MIGRATED to testing (Debian testing watch)
[2026-05-22] Accepted netatalk 4.2.3~ds-1+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-05-20] Accepted netatalk 4.4.3~ds-1 (source) into unstable (Daniel Markstedt)
[2026-05-18] Accepted netatalk 4.2.3~ds-1+deb13u2 (source) into stable-security (Debian FTP Masters) (signed by: Moritz Mühlenhoff)
[2026-04-24] netatalk 4.4.2~ds-1 MIGRATED to testing (Debian testing watch)
[2026-04-22] Accepted netatalk 4.4.2~ds-1 (source) into unstable (Daniel Markstedt)
[2026-04-15] netatalk 4.4.1~ds-1 MIGRATED to testing (Debian testing watch)
[2026-04-12] Accepted netatalk 4.4.1~ds-1 (source) into unstable (Daniel Markstedt)
[2026-03-28] Accepted netatalk 4.2.3~ds-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Daniel Markstedt)
[2025-12-19] netatalk 4.2.3~ds-2.1 MIGRATED to testing (Debian testing watch)
[2025-12-17] Accepted netatalk 4.2.3~ds-2.1 (source) into unstable (Adrian Bunk)
[2025-10-08] netatalk 4.2.3~ds-2 MIGRATED to testing (Debian testing watch)
[2025-10-05] Accepted netatalk 4.2.3~ds-2 (source) into unstable (Jonas Smedegaard)
[2025-06-03] netatalk 4.2.3~ds-1 MIGRATED to testing (Debian testing watch)
[2025-05-13] Accepted netatalk 4.2.3~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-04-26] netatalk 4.2.1~ds-1 MIGRATED to testing (Debian testing watch)
[2025-04-16] Accepted netatalk 4.2.1~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-04-12] Accepted netatalk 4.2.0~ds-3 (source) into unstable (Jonas Smedegaard)
[2025-04-12] Accepted netatalk 4.2.0~ds-2+exp (source) into experimental (Jonas Smedegaard)
[2025-04-08] Accepted netatalk 4.2.0~ds-2 (source) into unstable (Jonas Smedegaard)
[2025-04-06] Accepted netatalk 4.2.0~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-03-10] netatalk 4.1.2~ds-4 MIGRATED to testing (Debian testing watch)
[2025-03-08] Accepted netatalk 4.1.2~ds-4 (source) into unstable (Jonas Smedegaard)
[2025-02-25] Accepted netatalk 4.1.2~ds-3 (source) into unstable (Jonas Smedegaard)
[2025-02-24] Accepted netatalk 4.1.2~ds-2 (source) into unstable (Jonas Smedegaard)
[2025-02-15] netatalk 4.1.2~ds-1 MIGRATED to testing (Debian testing watch)
[2025-02-13] Accepted netatalk 4.1.2~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-01-28] netatalk 4.1.1~ds-1 MIGRATED to testing (Debian testing watch)
[2025-01-24] Accepted netatalk 4.1.1~ds-1 (source) into unstable (Jonas Smedegaard)
[2025-01-16] netatalk 4.1.0~ds-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 32
RC: 22
I&N: 9
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 84)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.4.3~ds-1
40 bugs