From: Peter Korsgaard <peter@korsgaard.com>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2, 1/1] package/netatalk: security bump to version 3.1.17
Date: Mon, 25 Sep 2023 09:54:58 +0200 [thread overview]
Message-ID: <87v8byd6wd.fsf@48ers.dk> (raw)
In-Reply-To: <20230919205058.446156-1-fontaine.fabrice@gmail.com> (Fabrice Fontaine's message of "Tue, 19 Sep 2023 22:50:58 +0200")
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Drop patches (already in version) and so autoreconf
> - Update COPYING hash (gpl mailing address updated with
> https://github.com/Netatalk/netatalk/commit/9bd45cc06e02e9bbfe8156bb1e5e2843b7727a51
> https://github.com/Netatalk/netatalk/commit/6a5997fbd64d6cd5a5400ea6a0a930d005ed89df)
> - Fix CVE-2022-43634: This vulnerability allows remote attackers to
> execute arbitrary code on affected installations of Netatalk.
> Authentication is not required to exploit this vulnerability. The
> specific flaw exists within the dsi_writeinit function. The issue
> results from the lack of proper validation of the length of
> user-supplied data prior to copying it to a fixed-length heap-based
> buffer. An attacker can leverage this vulnerability to execute code in
> the context of root. Was ZDI-CAN-17646.
> - Fix CVE-2022-45188: Netatalk through 3.1.13 has an afp_getappl
> heap-based buffer overflow resulting in code execution via a crafted
> .appl file. This provides remote root access on some platforms such as
> FreeBSD (used for TrueNAS).
> - Fix CVE-2023-42464: Validate data type in dalloc_value_for_key()
> https://github.com/Netatalk/netatalk/blob/netatalk-3-1-17/NEWS
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> Changes v1 -> v2:
> - Update .checkpackageignore
Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2023-09-25 7:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-19 20:50 [Buildroot] [PATCH v2, 1/1] package/netatalk: security bump to version 3.1.17 Fabrice Fontaine
2023-09-20 17:42 ` Yann E. MORIN
2023-09-25 7:54 ` Peter Korsgaard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87v8byd6wd.fsf@48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.