SUSE has issued an advisory on December 8: https://lists.suse.com/pipermail/sle-security-updates/2022-December/013205.html Mageia 8 is also affected.
Blocks: (none) => 30288Whiteboard: (none) => MGA8TOO
Assigning to all packagers collectively, since there is no registered maintainer.
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
David Geiger has built an update to upstream 3.1.14: netatalk-3.1.14-1.mga8 libnetatalk-devel-3.1.14-1.mga8 libnetatalk18-3.1.14-1.mga8 from netatalk-3.1.14-1.mga8.src.rpm Awaiting confirmation on which CVEs it fixes.
CC: (none) => geiger.david68210
CVE-2022-45188 seems not yet fixed upstream.
Indeed, but you can add this patch for it: https://build.opensuse.org/package/view_file/SUSE:SLE-12:Update/netatalk/netatalk-CVE-2022-45188.patch?expand=1
patch added on both mga8 and Cauldron!
netatalk-3.1.14-1.1.mga8 libnetatalk-devel-3.1.14-1.1.mga8 libnetatalk18-3.1.14-1.1.mga8 from netatalk-3.1.14-1.1.mga8.src.rpm Fixing CVE-2022-45188 and the CVEs listed here: https://bugs.mageia.org/show_bug.cgi?id=30288#c5
Assignee: pkg-bugs => qa-bugsWhiteboard: MGA8TOO => (none)Version: Cauldron => 8
MGA8-64 MATE on Acer Aspire 5253 No installation issues Ref bug 30287 for testing # systemctl start netatalk # systemctl -l status netatalk ● netatalk.service - Netatalk AFP fileserver for Macintosh clients Loaded: loaded (/usr/lib/systemd/system/netatalk.service; disabled; vendor preset: d> Active: active (running) since Mon 2023-02-06 09:46:29 CET; 29s ago Docs: man:afp.conf(5) man:netatalk(8) man:afpd(8) man:cnid_metad(8) man:cnid_dbd(8) http://netatalk.sourceforge.net/ Process: 6180 ExecStartPre=/usr/bin/systemd-tmpfiles --create /usr/lib/tmpfiles.d/net> Process: 6181 ExecStart=/usr/sbin/netatalk (code=exited, status=0/SUCCESS) Main PID: 6183 (netatalk) Tasks: 4 (limit: 4364) Memory: 7.8M CPU: 1.468s CGroup: /system.slice/netatalk.service ├─6183 /usr/sbin/netatalk ├─6184 /usr/sbin/afpd -d -F /etc/netatalk/afp.conf └─6185 /usr/sbin/cnid_metad -d -F /etc/netatalk/afp.conf Feb 06 09:46:28 mach7.hviaene.thuis systemd[1]: Starting Netatalk AFP fileserver for Maci> Feb 06 09:46:28 mach7.hviaene.thuis systemd-tmpfiles[6180]: Failed to open '/usr/lib/tmpf> Feb 06 09:46:29 mach7.hviaene.thuis systemd[1]: netatalk.service: Can't open PID file /va> Feb 06 09:46:29 mach7.hviaene.thuis systemd[1]: Started Netatalk AFP fileserver for Macin> This laptop doesn't have python2 anymore, so went for the version of the testscript papoteur uploaded, so $ python pea3.py -i 192.168.2.7 -lv [+] Attempting connection to 192.168.2.7:548 [+] Connected! [+] Sending exploit to overwrite preauth_switch data. [+] Listing volumes Traceback (most recent call last): File "pea3.py", line 288, in <module> list_volumes(sock) File "pea3.py", line 113, in list_volumes send_request(sock, b"\x00\x01", afp_getsrvrparms, "") File "pea3.py", line 74, in send_request data += param_string TypeError: can't concat str to bytes The ipaddress is the own laptop. So base don a similar result as in bug 30287, having a working setup and connection, giving the OK.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0027.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2022-43634: https://lists.suse.com/pipermail/sle-security-updates/2023-February/013706.html