Hi Daniel, On Sat, Jun 03, 2023 at 02:56:00PM -0700, Daniel Markstedt wrote: > > ---------- Forwarded message ---------- > > From: Markus Koschany <a...@debian.org> > > To: Daniel Markstedt <markst...@gmail.com>, 1036740-d...@bugs.debian.org > > Cc: debian-...@lists.debian.org > > Bcc: > > Date: Thu, 01 Jun 2023 19:54:55 +0200 > > Subject: Re: Bug#1036740: Fix for CVE-2022-23123 causes afpd segfault with > > valid metadata > > Version: 3.1.12~ds-3+deb10u2 > > > > Thanks for your report and the detailed replies. I could reproduce the > > problem > > and identify a wrongly applied commit in libatalk/adouble/ad_open.c. After > > applying a new patch to fix it, the AppleDouble v2 format seems to work as > > intended again. I'm going to close this bug report now. > > > > Best, > > > > Markus > > > > Thank you Markus for narrowing down the problem and fixing it! > I can confirm that appledouble=v2 works in my environment now too. > > So this covers the outstanding CVEs for oldstable now; > are you already preparing to port the same patchset to stable as well? > > I can file another bug report if it helps.
No other reports needed, since all were reported. For the bookworm release they would be fixed, for the current stable (bullseye) we explicitly asked the maintainer trough https://bugs.debian.org/1025011#15 . So we are waiting for the netatalk maintainers to propose an update here for bullseye-security. Regards, Salvatore
