Debian Patches
Status for netatalk/4.2.3~ds-1+deb13u2
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 001_uams_non_reentrant.patch | Revert to non-reentrant getpwnam() in the uam module Since afpd isn't a threading application, there is no pressing need to use the reentrant-safe way to fetch the passwd entry in uam_getname(). The reverted solution had flaws that led to a critical failure when attempting to authenticate in a complex ActiveDirectory environment. |
Daniel Markstedt <daniel@mindani.net> | yes | upstream | 2025-09-05 | |
| 202_privacy.patch | avoid privacy leak in documentation | Jonas Smedegaard <dr@jones.dk> | not-needed | 2025-04-14 | ||
| 002_CVE_batch_2026-05.patch | patch 20 CVEs that were disclosed on 2026-05-13CVE-2026-44047: cnid: protect against MySQL CNID filename SQL injection CVE-2026-44048: libatalk: fix UCS-2 terminator bounds in charset conversion CVE-2026-44049: libatalk: reserve charset terminator space in conversion CVE-2026-44050: cnid_dbd: validate CNID request name length CVE-2026-44051: afpd: validate symlink targets from FinderInfo CVE-2026-44052: libatalk: avoid logging LDAP bind passwords CVE-2026-44054: afpd: randomize reconnect session token CVE-2026-44055: afpd: correct bitwise check and escape user in FCE notify script CVE-2026-44057,CVE-2026-44066: afpd: fix spotlight unmarshalling depth and dead check CVE-2026-44060: libatalk/dsi: fix write underflow in dsi_writeinit CVE-2026-44062: libatalk/unicode: guard UCS2 slash and colon writes CVE-2026-44064: libatalk/asp: bounds-check ASP session ID CVE-2026-44068: libatalk/vfs: reject slash in EA names CVE-2026-44076: netatalk: fix Spotlight volume path shell quoting CVE-2026-45354: libatalk/dsi: guard cmdlen override to DSIWrite to prevent DoS CVE-2026-45355: afpd: fix signed integer underflow in sl_unpack_cpx string length CVE-2026-45356: afpd: guard against unsigned underflow in sl_unpack_loop count decrement CVE-2026-45698,CVE-2026-45699: afpd: fix stack buffer overflow in copydir() and deletedir() |
Daniel Markstedt <daniel@mindani.net> | no | 2026-05-15 |
All known versions for source package 'netatalk'
- 4.4.3~ds-1 (sid, forky)
- 4.2.3~ds-1+deb13u2 (trixie-proposed-updates, trixie-security)
- 4.2.3~ds-1+deb13u1 (trixie)