Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: jo...@jones.dk
This is a batch of patches that resolves a number of CVE vulnerabilities for netatalk, plus a number of regressions that were subsequently fixed in upstream (indicated by part/regression patches). They originate in upstream releases between 3.1.13 through 3.1.15. With the exception of the very last regression fix (CVE-2022-23123_part6.patch) they are all in the unstable netatalk package. CVE-2022-45188 CVE-2022-43634 CVE-2022-23125 CVE-2022-23124 CVE-2022-23123 CVE-2022-23122 CVE-2022-23121 CVE-2022-0194 CVE-2021-31439 For complete transparency: Please note that the patch for CVE-2022-23123 also fixes CVE-2022-23122, CVE-2022-23124, CVE-2022-0194, which is why the latter three don't have separate patches. The Security Team has already applied this exact patchset on buster-security (3.1.12~ds-3+deb10u3), and instructed me to file this release request against oldstable. We have an active userbase that leverages netatalk for file sharing with fleets of legacy Mac clients in production environments, so I consider it prudent to keep oldstable up to date with security patches. Is this enough to make a case for uploading an update to oldstable? Sincerely, Daniel Markstedt
netatalk-3.1.12~ds-8+deb11u1.patch
Description: Binary data