Bug 30288 - netatalk new security issues CVE-2022-0194 and CVE-2022-2312[2-4]
Summary: netatalk new security issues CVE-2022-0194 and CVE-2022-2312[2-4]
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: David GEIGER
QA Contact: Sec team
Depends on: 30287 31255
  Show dependency treegraph
Reported: 2022-04-14 00:35 CEST by David Walser
Modified: 2023-02-07 05:39 CET (History)
0 users

See Also:
Source RPM: netatalk-3.1.12-9.mga9.src.rpm
Status comment: Upstream fix in 3.1.13 caused regression, no good fix yet


Description David Walser 2022-04-14 00:35:28 CEST
+++ This bug was initially created as a clone of Bug #30287 +++

SUSE has issued an advisory today (April 13):

The issues are fixed upstream in 3.1.13.

3.1.13 also has fixes for CVE-2022-0194 and CVE-2022-2312[2-4], but the patch that fixed those issues caused a regression, so SUSE reverted it for their update.

Mageia 8 is also affected.
David Walser 2022-04-14 00:35:55 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Upstream fix in 3.1.13 caused regression, no good fix yet

Comment 1 Lewis Smith 2022-04-14 08:49:05 CEST
This package has no formal maintainer, but am assigning this (& its companion 30287) to DavidG who commited version: 3.1.12 - over 3y ago!

Assignee: bugsquad => geiger.david68210

David Walser 2022-12-09 17:43:59 CET

Depends on: (none) => 31255

Comment 2 David GEIGER 2023-01-31 06:33:26 CET
Fixed in Cauldron with latest 3.1.14 release!
David Walser 2023-01-31 15:40:08 CET

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 David GEIGER 2023-01-31 18:17:09 CET
Done also for mga8!
Comment 4 David Walser 2023-02-01 16:31:28 CET
(In reply to David GEIGER from comment #2)
> Fixed in Cauldron with latest 3.1.14 release!

Are you sure that 3.1.14 fixes these CVEs (do you have a link that confirms that)?  What about the CVE in Bug 31255?
Comment 5 David GEIGER 2023-02-01 17:00:59 CET
 from NEWS file:

Changes in 3.1.13
* FIX: CVE-2021-31439
* FIX: CVE-2022-23121
* FIX: CVE-2022-23123
* FIX: CVE-2022-23122
* FIX: CVE-2022-23125
* FIX: CVE-2022-23124
* FIX: CVE-2022-0194
* FIX: afpd: make a variable declaration a definition
* UPD: Remove bundled libevent
Comment 6 David Walser 2023-02-01 23:53:00 CET
Ahh, so we already knew those fixes were in 3.1.13.  The question is does 3.1.14 fix the regression?
Comment 7 David GEIGER 2023-02-02 06:59:33 CET
Don't really know, it is not clearly mentioned in NEWS file:

Comment 8 David Walser 2023-02-07 05:39:03 CET
Fixed in:

Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.