+++ This bug was initially created as a clone of Bug #30287 +++ SUSE has issued an advisory today (April 13): https://lists.suse.com/pipermail/sle-security-updates/2022-April/010700.html The issues are fixed upstream in 3.1.13. 3.1.13 also has fixes for CVE-2022-0194 and CVE-2022-2312[2-4], but the patch that fixed those issues caused a regression, so SUSE reverted it for their update. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Upstream fix in 3.1.13 caused regression, no good fix yet
This package has no formal maintainer, but am assigning this (& its companion 30287) to DavidG who commited version: 3.1.12 - over 3y ago!
Assignee: bugsquad => geiger.david68210
Depends on: (none) => 31255
Fixed in Cauldron with latest 3.1.14 release!
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Done also for mga8!
(In reply to David GEIGER from comment #2) > Fixed in Cauldron with latest 3.1.14 release! Are you sure that 3.1.14 fixes these CVEs (do you have a link that confirms that)? What about the CVE in Bug 31255?
from NEWS file: Changes in 3.1.13 ================= * FIX: CVE-2021-31439 * FIX: CVE-2022-23121 * FIX: CVE-2022-23123 * FIX: CVE-2022-23122 * FIX: CVE-2022-23125 * FIX: CVE-2022-23124 * FIX: CVE-2022-0194 * FIX: afpd: make a variable declaration a definition * UPD: Remove bundled libevent
Ahh, so we already knew those fixes were in 3.1.13. The question is does 3.1.14 fix the regression?
Don't really know, it is not clearly mentioned in NEWS file: https://github.com/Netatalk/Netatalk/commit/895cecbeeae655b2793df6fcbf9df1c1bfbe285d
Fixed in: https://advisories.mageia.org/MGASA-2023-0027.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED