Created attachment 14735 [details] Prepared advisory text for CVE-2018-1160
Created attachment 14736 [details] Patch for master
Created attachment 14737 [details] Patch for 3.1
Comment on attachment 14735 [details] Prepared advisory text for CVE-2018-1160 Advisory looks good to me. All the best with the security release!
(In reply to Andrew Bartlett from comment #4) Thanks! Not Samba, rofl... ;)
Comment on attachment 14735 [details] Prepared advisory text for CVE-2018-1160 A few tiny grammar errors around plurals, but nothing to stop ship. LGTM.
Release is planned for Thursday 20th of December 2018.
For those a little confused by this mail, please let me explain. As you can see the the advisory here, a serious security issue has been identified in Netatalk. Netatalk like Samba is often installed to share files (with Apple Mac clients), and it was felt that by forwarding the information here we might efficiently and securely reach affected vendors. For those confused, please be clear it is NOT an issue in Samba. However given Ralph's long association with and membership of the Samba Team, we felt it appropriate to aid him, and if you are such a vendor te hope you, in this way.
Created attachment 14747 [details] Patch for 2.0.x Hello Ralph, thank you for 3.x patches. Is there any patch for 2.x? I attempted to create one, it looks very simlar to patch for 3.1 except dsi->cmdlen calculation and 'AFP replaycache size option' section omission. Is it correct?
Created attachment 14748 [details] Patch for 2.2
(In reply to Petr Gajdos from comment #9) I provided an "official" patch for 2.2.
(In reply to Ralph Böhme from comment #11) Ralph, apologize, yes, I forgot to specify the exact version against the patch was created: 2.0.3. Thank you anyway!
Will this ticket be updated when we are clear to release? Where will the official notification regarding the issue be posted?
(In reply to Andrew Walker from comment #13) Netatalk 3.1.12 has just been released to address this issue. The release was announced via the usual Netatalk mailing lists. The CVE description should appear soon on the MITRE site: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1160 Thanks everyone who helped getting this out!
Comment on attachment 14747 [details] Patch for 2.0.x Patch looks good to me.
(In reply to Ralph Böhme from comment #15) Ralph, thank you for the review!