Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

netatalk: CVE-2018-1160: Unauthenticated remote code execution in Netatalk

Related Vulnerabilities: CVE-2018-1160  

Source

Debian Bug report logs - #916930
netatalk: CVE-2018-1160: Unauthenticated remote code execution in Netatalk

version graph

Package: src:netatalk; Maintainer for src:netatalk is Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 20 Dec 2018 16:12:01 UTC

Severity: grave

Tags: patch, security, upstream

Found in versions netatalk/2.2.6-1.1, netatalk/2.2.5-2

Fixed in versions netatalk/2.2.5-2+deb9u1, netatalk/2.2.6-2

Done: Jonas Smedegaard <dr@jones.dk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>:
Bug#916930; Package src:netatalk. (Thu, 20 Dec 2018 16:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>. (Thu, 20 Dec 2018 16:12:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: netatalk: CVE-2018-1160: Unauthenticated remote code execution in Netatalk
Date: Thu, 20 Dec 2018 17:08:29 +0100
Source: netatalk
Version: 2.2.5-2
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 2.2.6-1.1
Control: fixed -1 2.2.5-2+deb9u1

Hi,

The following vulnerability was published for netatalk.

CVE-2018-1160[0]:
Unauthenticated remote code execution in Netatalk

More information and patches for 2.2 branch can be found in [1].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1160
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1160
[1] https://bugzilla.samba.org/show_bug.cgi?id=13711
[2] http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html

Regards,
Salvatore

Marked as found in versions netatalk/2.2.6-1.1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 20 Dec 2018 16:12:04 GMT) (full text, mbox, link).

Marked as fixed in versions netatalk/2.2.5-2+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Thu, 20 Dec 2018 16:12:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>:
Bug#916930; Package src:netatalk. (Thu, 20 Dec 2018 21:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>. (Thu, 20 Dec 2018 21:09:04 GMT) (full text, mbox, link).

Message #14 received at 916930@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 916930@bugs.debian.org
Subject: netatalk: diff for NMU version 2.2.6-1.2
Date: Thu, 20 Dec 2018 22:06:32 +0100
[Message part 1 (text/plain, inline)]
Control: tags 916930 + pending


Dear maintainer,

I've prepared an NMU for netatalk (versioned as 2.2.6-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[netatalk-2.2.6-1.2-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 916930-submit@bugs.debian.org. (Thu, 20 Dec 2018 21:09:04 GMT) (full text, mbox, link).

Reply sent to Jonas Smedegaard <dr@jones.dk>:
You have taken responsibility. (Sat, 22 Dec 2018 18:39:21 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 22 Dec 2018 18:39:21 GMT) (full text, mbox, link).

Message #21 received at 916930-close@bugs.debian.org (full text, mbox, reply):

From: Jonas Smedegaard <dr@jones.dk>
To: 916930-close@bugs.debian.org
Subject: Bug#916930: fixed in netatalk 2.2.6-2
Date: Sat, 22 Dec 2018 18:34:55 +0000
Source: netatalk
Source-Version: 2.2.6-2

We believe that the bug you reported is fixed in the latest version of
netatalk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 916930@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Smedegaard <dr@jones.dk> (supplier of updated netatalk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 22 Dec 2018 19:04:35 +0100
Source: netatalk
Binary: netatalk netatalk-dbg
Architecture: source
Version: 2.2.6-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Netatalk team <pkg-netatalk-devel@lists.alioth.debian.org>
Changed-By: Jonas Smedegaard <dr@jones.dk>
Description:
 netatalk   - AppleTalk user binaries
 netatalk-dbg - Debug symbols for netatalk
Closes: 864125 907958 912091 916930
Changes:
 netatalk (2.2.6-2) unstable; urgency=medium
 .
   * Acknowledge NMUs.
     Closes: Bug#864125, #916930.
     Thanks to Salvatore Bonaccorso and Andreas Metzler.
   * Simplify rules:
     + Stop resolve build-dependencies in rules file.
   * Update notes on local build linked with OpenSSL:
     + Rephrase centered on usage needs (not legalese).
     + Use apt (not aptitude or apt-get) in interactive commands.
     + Stop reference obsolete unofficial package repository.
     + Move build details to README.source.
   * Update Vcs-* fields: Maintenance moved to Salsa.
   * Stop build-depend on dh-buildinfo.
   * Update copyright info:
     + Extend coverage of packaging.
     + Use https protocol in format URL.
   * Wrap and sort control file, and strip trailing spaces.
   * Use package priority optional (not extra).
   * Declare compliance with Debian Policy 4.2.1.
   * Fix depend on lsb-base.
   * Configure with --enable-a2boot.
     Closes: Bug#907958. Thanks to T. Joseph Carter.
   * Add patch 106
     to fix detect Berkeley DB installed in multiarch location.
     Closes: Bug#912091. Thanks to Helmut Grohne.
   * Add patches cherry-picked upstream
     to fix unauthenticated remote code execution
     (replacing semantically identical patch 115 added in 2.2.6-1.2).
Checksums-Sha1:
 a17a6e609e160528eaf9091f7e3238ac588e26aa 2261 netatalk_2.2.6-2.dsc
 75f207454715b8a49b77a7ed81968491ad61629b 47368 netatalk_2.2.6-2.debian.tar.xz
 c02858497410810e8431ba50f7d50be2fe107728 7378 netatalk_2.2.6-2_amd64.buildinfo
Checksums-Sha256:
 0023051d66fc8cae4dccf37c753967fb78c687298560c5d37d8632ba6019ae37 2261 netatalk_2.2.6-2.dsc
 cc1f277ffd106a200e58f3631942c82b40f105c60e869a549c4ef59f3b061651 47368 netatalk_2.2.6-2.debian.tar.xz
 da822faee160c133f3dc9895da72b96dd1a64042d0da4902b815de1688e39fb7 7378 netatalk_2.2.6-2_amd64.buildinfo
Files:
 3af48f549e154cfbc9a155adfcb516bc 2261 net optional netatalk_2.2.6-2.dsc
 f598132892ea0401ed7f387b4f657783 47368 net optional netatalk_2.2.6-2.debian.tar.xz
 99fc01465d8da1d187fed0dd42a73f3a 7378 net optional netatalk_2.2.6-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlwef2YACgkQLHwxRsGg
ASGyig//f5jcrENw3uqCaIfM8rrB7EpNX4W+LNvv8M4UG+I6uSD4524T06rZ5nNf
eU+d4MAxjWF1ynsHbBxjmV7n1ng+DA3amfSZGW7CoTHCFbXOGLjM7NUftL9Vp2tu
DGeokZGDP/U1VwHWPKm9Rz6Rsso8DvU1xy5AotNtYs8GwvuysjlMuRV0xlSyYEED
vht4rrWlKniY+yEbSgL49/B2mOeByJiDT4rYJRkc6o5S29O3ks6vvwCtfJ8AmrwA
KseZloAnVlgmAXx2o4DBw2S2mYOOe4wGORaVpI/PYlYA8REgEzT9yeWC6XmMhOjc
rPs11o2edd+KXxqJI84EeTbM+b49Lv3Uh4oEuDUFIx887BTY2chF7idaHVUl8F/o
G5F/H8bNskdKWcEt1BwSrOnKxjmK1nKu4KHJ364au6R387DZP2qmu42BEtpXSb8I
lxVvM3CDKgPV+5mmYdoItl7euGg8C8369m21VF9htQyRCGOEzxMIRYa45zxBTaRm
QUtMz/dpiv2BJxoWjfKYn2ApcVOSgVKY622N1Mo23NYtXWO0ctKCDMeB3YAGn0pI
XY6/yHVeEpNLcYjnWspTgPS6W5+SKJpJ34392+2UTkMxVe8is2HlPTzNLj3SHJoQ
jBSclLreBnxg8qnQ/z25yuZN4QEItC/J1QyEyJSFB967Ogxsx50=
=qdsN
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Feb 2019 07:28:31 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:51:17 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started