On Wed, May 24, 2023 at 7:18 AM Moritz Mühlenhoff <j...@inutil.org> wrote: > [...] > It's nice that there's renewed interest, but this involves also taking > care of netatalk in stable, there's a range of issues (full list at > https://security-tracker.debian.org/tracker/source-package/netatalk) > which need to be backported to bullseye-security. > > I'm reopening the bug, it can be closed with the respective upload > to bullseye-security. > > Cheers, > Moritz >
Since both buster and bullseye use the same base version of netatalk (3.1.12) the work required here should be straight-forward: Simply bring over the CVE patchset that were applied to buster-security. A snippet from `apt source netatalk` on buster: [...] dpkg-source: info: applying CVE-2022-45188.patch dpkg-source: info: applying CVE-2022-43634.patch dpkg-source: info: applying CVE-2022-23125.patch dpkg-source: info: applying CVE-2022-23121.patch dpkg-source: info: applying CVE-2021-31439.patch dpkg-source: info: applying CVE-2022-23123_part1.patch dpkg-source: info: applying CVE-2022-23123_part2.patch dpkg-source: info: applying CVE-2022-23123_part3.patch dpkg-source: info: applying CVE-2022-23123_part4.patch dpkg-source: info: applying CVE-2022-23123_part5.patch dpkg-source: info: applying CVE-2022-23121_regression.patch The only real difference between buster and bullseye netatalk 3.1.12 is that the latter have a few extra backported crashfixes etc. I had a quick look and concluded that they shouldn't interfere with the CVE patches. I'd be happy to try to achieve the "upload to bullseye-security" if you all can give me some pointers. This is all new to me. Best regards, Daniel