-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-22995 #480
Comments
There's a severe lack of context in the body of the CVE record to make judgment one way or the other. Interesting that they call out Samba and Netatalk in the same sentence. The two have very different default config files. (Although they have code elsewhere that share original authorship.) For the record this is all there is in the CVE record, unless I'm overlooking something:
Let me try to reach out to the authors to hear if they have further information that's not in the public CVE record. |
I contacted Corentin over LinkedIn now (same name, same company.) The other two I couldn't immediately find. If someone here has an X (Twitter) account, might you contact Luca via the given handle? |
Corentin responded to me and said he can provide additional information about the exploit shortly. |
Yeah, the content of this CVE was very ambiguous. I could only guess what was meant, and even if I did patch the default afp.conf during the packaging process, how could I be sure it really fixed what the CVE author was getting at? Anyways, thanks for finding someone who might be a good source of information for this one. Maybe we can put this to rest soon. |
Patch in #509 |
Since this has gone unfixed, I am kindly placing this here for visibility:
https://nvd.nist.gov/vuln/detail/cve-2022-22995
It is unclear to me exactly what the issue is. Is it the default afp.conf that ships with nearly all parameters commented out?
As the fedora packager for netatalk, I could continue to just ignore this, but thought I'd mention something in case the current upstream maintainers are not aware.
https://bugzilla.redhat.com/show_bug.cgi?id=2069300
The text was updated successfully, but these errors were encountered: