UbuntuUpdates.org

Package "netatalk"

Name: netatalk

Description:

Apple Filing Protocol service
Latest version: 3.1.12~ds-4ubuntu0.20.04.4
Release: focal (20.04)
Level: security
Repository: universe
Homepage: http://netatalk.sourceforge.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "netatalk"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "netatalk" in Focal

Repository Area Version
base universe 3.1.12~ds-4
updates universe 3.1.12~ds-4ubuntu0.20.04.4

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 3.1.12~ds-4ubuntu0.20.04.4 2025-03-12 15:07:00 UTC

  netatalk (3.1.12~ds-4ubuntu0.20.04.4) focal-security; urgency=medium

  * SECURITY UPDATE: memory leak vulnerability
    - d/p/CVE-2024-38439-38440-38441.patch: harden user login by doing null
      pointer and length checks on input buffer
    - CVE-2024-38439
    - CVE-2024-38440
    - CVE-2024-38441
  * SECURITY UPDATE: arbitrary file writing vulnerability
    - d/p/CVE-2022-22995.patch: Harden create_appledesktop_folder()
    - CVE-2022-22995

 -- Shishir Subedi <email address hidden> Tue, 11 Mar 2025 10:15:25 +0545
Source diff to previous version
CVE-2024-38439 Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in lo
CVE-2024-38440 Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLo
CVE-2024-38441 Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapna
CVE-2022-22995 The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of files. By exploiting these combin

Version: 3.1.12~ds-4ubuntu0.20.04.3 2023-12-12 16:11:50 UTC

  netatalk (3.1.12~ds-4ubuntu0.20.04.3) focal-security; urgency=medium

  * SECURITY UPDATE: remote code execution
    - debian/patches/CVE-2023-42464.patch: validate data type in
      dalloc_value_for_key() to avoid type confusion.
    - CVE-2023-42464

 -- Allen Huang <email address hidden> Thu, 07 Dec 2023 13:48:08 +0000
Source diff to previous version
CVE-2023-42464 A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets,

Version: 3.1.12~ds-4ubuntu0.20.04.1 2023-06-08 11:06:59 UTC

  netatalk (3.1.12~ds-4ubuntu0.20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: RCE vulnerability
    - debian/patches/CVE-2021-31439.patch: libatalk: apply limit checking
      to DSI write offset
    - CVE-2021-31439
  * SECURITY UPDATE: RCE with root privileges
    - debian/patches/CVE-2022-0194_23122_23123_23124_*.patch: add defines
      for icon lengths, harden ad_entry(), add handling for cases where
      ad_entry() returns NULL, protect against removing AFP metadata xattr,
      avoid setting adouble entries on symlinks
    - debian/patches/CVE-2022-23121-*.patch: apply hardening to
      parse_entries()
    - debian/patches/CVE-2022-23125.patch: harden copyapplfile()
    - debian/patches/CVE-2022-43634.patch: fix dsi_writeinit() function
    - CVE-2022-0194
    - CVE-2022-23121
    - CVE-2022-23122
    - CVE-2022-23123
    - CVE-2022-23124
    - CVE-2022-23125
    - CVE-2022-43634
  * SECURITY UPDATE: heap-based buffer overflow
    - debian/patches/CVE-2022-45188.patch: fixes the heap-based buffer
      overflow in afp_getappl()
    - CVE-2022-45188

 -- Nishit Majithia <email address hidden> Thu, 08 Jun 2023 09:48:49 +0530
CVE-2021-31439 This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authenticat
CVE-2022-0194 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit
CVE-2022-23121 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit
CVE-2022-23125 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit
CVE-2022-43634 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit
CVE-2022-23122 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit
CVE-2022-23123 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to
CVE-2022-23124 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to
CVE-2022-45188 Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a crafted .appl file. This provides remote root


About   -   Send Feedback to @ubuntu_updates