oss-sec mailing list archives

netatalk 4.4.3 fixes 20 CVEs, leaves 18 for later


From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Fri, 15 May 2026 12:36:24 -0700

https://sourceforge.net/p/netatalk/mailman/message/59334272/ announced:
The Netatalk team is proud to announce the latest version in the Netatalk 4.4 release series.

In addition to the following security fixes, this release contains a handful of UAM and container hardening 
improvements.

CVE-2026-44047, CVE-2026-44048, CVE-2026-44049, CVE-2026-44050,
CVE-2026-44051, CVE-2026-44052, CVE-2026-44054, CVE-2026-44055,
CVE-2026-44057, CVE-2026-44060, CVE-2026-44062, CVE-2026-44064,
CVE-2026-44066, CVE-2026-44068, CVE-2026-44076, CVE-2026-45354,
CVE-2026-45355, CVE-2026-45356, CVE-2026-45698, CVE-2026-45699

All users of previous Netatalk versions are encouraged to upgrade to 4.4.3.

Release notes: https://netatalk.io/4.4/ReleaseNotes4.4.3

Security advisories: https://netatalk.io/security

https://netatalk.io/4.4/ReleaseNotes4.4.3 adds:
Note that there are another outstanding 18 CVEs that are not fixed in
this release, because the Netatalk team deemed them to be of lower
severity. These will be addressed in a future feature release.

https://netatalk.io/security provides these one line summaries, with
links to more details:
CVE ID          Subject                                                 Disclosure      Affected Vers   Severity
CVE-2026-45699  Stack-based buffer overflow in copydir()                2026/05/13      3.2.0 - 4.4.2   High
CVE-2026-45698  Stack-based buffer overflow in deletedir()              2026/05/13      3.2.0 - 4.4.2   High
CVE-2026-45356  Integer underflow in Spotlight RPC count decrement      2026/05/13      3.1.0 - 4.4.2   High
CVE-2026-45355  Integer underflow to heap OOB read                      2026/05/13      3.1.0 - 4.4.2   High
CVE-2026-45354  Pre-authentication DSI protocol desync                  2026/05/13      1.5.0 - 4.4.2   High
CVE-2026-44076  Shell injection via volume path                         2026/05/13      3.1.0 - 4.4.2   Medium
CVE-2026-44075  Missing break in DSI OpenSession                        2026/05/13      1.5.0 - 4.4.3   None
CVE-2026-44074  Bitwise OR of errno values                              2026/05/13      2.1.0 - 4.4.3   None
CVE-2026-44073  seteuid failure ignored in auth modules                 2026/05/13      1.5.0 - 4.4.3   Medium
CVE-2026-44072  system() after failed chdir()                           2026/05/13      2.2.1 - 4.4.3   Low
CVE-2026-44071  FORTIFY_SOURCE disabled                                 2026/05/13      3.1.2 - 4.4.3   None
CVE-2026-44070  Unbounded realloc in charset conversion                 2026/05/13      2.0.0 - 4.4.3   Low
CVE-2026-44069  Integer underflow in volxlate                           2026/05/13      3.0.0 - 4.4.3   Low
CVE-2026-44068  EA path traversal via incomplete sanitization           2026/05/13      2.1.0 - 4.4.2   High
CVE-2026-44067  EA header parsing heap over-read                        2026/05/13      2.1.0 - 4.4.3   Low
CVE-2026-44066  Heap out-of-bounds reads in Spotlight RPC unmarshalling 2026/05/13      3.0.0 - 4.4.2   High
CVE-2026-44065  Off-by-two in papd lp_write()                           2026/05/13      2.0.0 - 4.4.3   Low
CVE-2026-44064  ASP session ID out-of-bounds access                     2026/05/13      1.3 - 4.4.2     High
CVE-2026-44063  LDAP filter injection                                   2026/05/13      2.1.0 - 4.4.3   Medium
CVE-2026-44062  Missing o_len bounds check in pull_charset_flags()      2026/05/13      2.0.4 - 4.4.2   High
CVE-2026-44061  DES-ECB auth with timing side channel                   2026/05/13      1.5.0 - 4.4.3   Medium
CVE-2026-44060  Integer underflow in dsi_writeinit()                    2026/05/13      1.5.0 - 4.4.2   High
CVE-2026-44059  Non-reentrant privilege toggle                          2026/05/13      2.2.5 - 4.4.3   Low
CVE-2026-44058  Authentication bypass via admin auth user               2026/05/13      2.2.2 - 4.4.3   Medium
CVE-2026-44057  Dead bounds check in Spotlight RPC unmarshaller         2026/05/13      3.0.0 - 4.4.2   None
CVE-2026-44056  Stack buffer overflow in desktop.c                      2026/05/13      1.3 - 4.2.3     Medium
CVE-2026-44055  Bitwise OR logic bug enables shell injection            2026/05/13      3.1.4 - 4.4.2   High
CVE-2026-44054  Predictable afpd session token                          2026/05/13      2.0.0 - 4.4.2   Medium
CVE-2026-44053  Weak cryptography in DHCAST128 UAM                      2026/05/13      1.5.0 - 4.2.3   High
CVE-2026-44052  LDAP simple-bind password exposure in log output        2026/05/13      2.1.0 - 4.4.2   High
CVE-2026-44051  Arbitrary file read via attacker-controlled symlink     2026/05/13      3.0.2 - 4.4.2   High
CVE-2026-44050  Heap buffer overflow in CNID daemon comm_rcv()          2026/05/13      2.0.0 - 4.4.2   Critical
CVE-2026-44049  Out-of-bounds write in convert_charset null termination 2026/05/13      2.0.4 - 4.4.2   High
CVE-2026-44048  Stack buffer overflow via UCS-2 type confusion in ...   2026/05/13      2.0.4 - 4.4.2   High
CVE-2026-44047  SQL injection in MySQL CNID backend                     2026/05/13      3.1.0 - 4.4.2   High
CVE-2026-7837   TOCTOU with root privilege in ad_flush                  2026/05/13      3.0.0 - 4.4.3   None
CVE-2026-7836   hextoint macro uppercase bug                            2026/05/13      2.0.0 - 4.4.3   Low
CVE-2026-7835   Format string argument mismatch                         2026/05/13      3.0.3 - 4.4.3   Low

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris


Current thread: