CVE-2022-22995 #480
Comments
|
There's a severe lack of context in the body of the CVE record to make judgment one way or the other. Interesting that they call out Samba and Netatalk in the same sentence. The two have very different default config files. (Although they have code elsewhere that share original authorship.) For the record this is all there is in the CVE record, unless I'm overlooking something:
Let me try to reach out to the authors to hear if they have further information that's not in the public CVE record. |
|
I contacted Corentin over LinkedIn now (same name, same company.) The other two I couldn't immediately find. If someone here has an X (Twitter) account, might you contact Luca via the given handle? |
|
Corentin responded to me and said he can provide additional information about the exploit shortly. |
|
Yeah, the content of this CVE was very ambiguous. I could only guess what was meant, and even if I did patch the default afp.conf during the packaging process, how could I be sure it really fixed what the CVE author was getting at? Anyways, thanks for finding someone who might be a good source of information for this one. Maybe we can put this to rest soon. |
|
Patch in #509 |
Since this has gone unfixed, I am kindly placing this here for visibility:
https://nvd.nist.gov/vuln/detail/cve-2022-22995
It is unclear to me exactly what the issue is. Is it the default afp.conf that ships with nearly all parameters commented out?
As the fedora packager for netatalk, I could continue to just ignore this, but thought I'd mention something in case the current upstream maintainers are not aware.
https://bugzilla.redhat.com/show_bug.cgi?id=2069300
The text was updated successfully, but these errors were encountered: